[closed] XSS Vulnerability Fix! (4 posts)

  1. shovel
    Posted 9 years ago #

    I am the master, and the commander. lol
    But anyways. First off, My Introduction.

    My name is Anthony White. I'm an independent software engineer from South Carolina, USA. I'm also a former intern for SCEA. I've just downloaded WordPress "Strayhorn" v1.5.2, as of yesterday. Since then, I've already discovered and fixed an extremely important vulnerability!

    I discovered on December 3rd, 2005, an XSS vulnerability located in the classes.php file located in sub-dir 'wp-includes'. The var it affects is $q['s'] used for the Search functionality. The programming does NOT properly remove dangerous ASCII and HEX values that can be used in a malicious manner in an event of an XSS (cross site scripting) attack.

    I have already developed a STABLE fix for this feature. Please, do yourself a favor, users. FIX IT!

    [Moderated and code removed so it cannot be used irresponsibly. Anthony - thank you for the information. It has been passed to those that need it - Podz]

  2. Kafkaesqui

    Posted 9 years ago #

    Hey Anthony? A master/commander would typically contact the developers first about a suspected security issue (and fix) before broadcasting to the public what it is and how one might take advantage of it:


    Just saying...

  3. shovel
    Posted 9 years ago #

    It's been contributed. The fix is for public knowledge considering it would have already been announced after the developers figured it out. And please don't critque me. I could've not had made the fix at all. And maybe you should be generous instead of skeptical. Thanks.

  4. vkaryl
    Posted 9 years ago #

    All security oriented info should go direct to security*at*wordpress*dot*org. Please send this info on to that address. No security info or "fixes" should be released here until the appropriate folks have been notified.

    Closing topic.

Topic Closed

This topic has been closed to new replies.

About this Topic