XSS in post.php

  • It’s possible to achieve some attacks (like phising) by
    performing a post like this (from wp-admin/post.php):

    <script>window.location=String.fromCharCode(104,116,116,112,...);</script>

    As WP won’t dump quotes -but &#…;-, you must build
    the URL by passing UNICODE character codes to
    String.fromCharCode().

    (Tested with Firefox 1.0.2, IE 6.0, WP 1.5 under Fedora
    Core 3, PHP 4.3.10.)

Viewing 4 replies - 1 through 4 (of 4 total)

  • So you’re saying that you can post content in your admin area and then people who see your blog will see that content? WP does not sanitize posts, whatever you put in there is shown to your blog visitors.

    Right, this is not any kind of “bug” in WP. If you can’t trust a user to not publish “unsafe” code, then you probably shouldn’t be giving them post permissions.

    That said, it would probably be trivial to whip up a plugin that would filter post content through kses for users below a certain level, just as comments currently are.

    Heh…

    This is surely possible with or without WordPress. Like dougal said, if you can’t trust an author, don’t make them an author.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘XSS in post.php’ is closed to new replies.