Ticket #2454 (closed defect: fixed)

Opened 3 years ago

Last modified 3 years ago

Comment URL not cleaned before set in cookie

Reported by: skeltoac Assigned to: anonymous
Priority: low Milestone: 2.1
Component: Administration Version: 2.0.1
Severity: trivial Keywords: bg|has-patch
Cc:

Description

The following article claims that this is a security hole. Dougal and I disagree: you can't steal cred cookies with this vector because the URL cookie is only set in the browser of the person submitting the comment, and the affected control only appears when the visitor is not logged in. Anyway, attached is a patch to clean the URL before setting the cookie.

http://myimei.com/security/2006-02-15/wordpress200autors-websitexss-attack.html#more-14

Attachments

clean-comment-url.diff (0.9 kB) - added by skeltoac on 02/15/06 23:30:32.

Change History

02/15/06 23:30:32 changed by skeltoac

  • attachment clean-comment-url.diff added.

02/16/06 19:17:10 changed by dougal

Looks good to me.

Even though it isn't a real security risk, best to clean that up, just in case. Afer all, it could be an issue on sites that use custom themes, or if there was a plugin that pulled the comment author cookies and diplayed them blindly.

02/17/06 01:31:55 changed by ryan

  • status changed from new to closed.
  • resolution set to fixed.

(In [3542]) clean comment author url. fixes #2454