Support » Requests and Feedback » Security Issue – Popup Url Preview in Admin Section

  • Resolved optricsdavid

    (@optricsdavid)


    Hi,

    I’ve run across something that I think presents a potential security issue inside the admin section of WordPress.

    While handling some of the spam comments that we receive, I noted the url section where their “website” would have been entered.

    I hovered over it to see where it might <actually> be pointing, and was surprised to see a “popup preview”.

    – that would mean that some content was being pulled down from their website (had they entered one). If it was a link to malware, it would pull down the malware to our server?

    Here is a screenshot to illustrate

    http://www.optrics.com/images/wordpress-spam-url-preview.gif

    We are a network security firm, and I wanted to bring this up, as we have to look at these issues (like when Firefox first “pre-pulled” Google search result content to “speed up search” – and we deactivated it).

    Thanks
    David

Viewing 4 replies - 1 through 4 (of 4 total)
  • Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    🏳️‍🌈 Advisor and Activist

    Please email security concerns to security [at] wordpress.org. Include as much detail as you can.

    Per http://codex.wordpress.org/Security_FAQ

    The preview image is generated by a WordPress.com image. In many ways not unlike the Google Instant Preview.

    The only server that pulls down content is the service that generates the preview image. The only thing your browser downloads in the preview image from the WordPress.com service that generated it.

    Thread Starter optricsdavid

    (@optricsdavid)

    Thanks for the info. That makes sense.

    With issues like a malware site tricking people into pulling down an image, I was wondering if this might be an issue.

    I guess, that if the “wordpress service” that pulls down the image pulled down malware it might be serving it up, but I would suppose the “service” hopefully has antivirus running.

    Thanks again for the clarification!

    Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    🏳️‍🌈 Advisor and Activist

    It’s the same server that runs this site (well same server ‘cluster’ I guess) so if it’s got a problem, everything WP related is in trouble 😉

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Security Issue – Popup Url Preview in Admin Section’ is closed to new replies.