#3879 closed defect (bug) (fixed)
XSS in 2.1.1 in AYS for HTTP GET requests
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | 2.1.2 | Priority: | low |
| Severity: | normal | Version: | 2.1.1 |
| Component: | Security | Keywords: | |
| Focuses: | Cc: |
Description (last modified by )
http://www.securityfocus.com/archive/1/461351/30/0/ threaded. http://secunia.com/advisories/24316/ reads:
Input passed to the "post" parameter in wp-admin/post.php (when "action" is set to "delete") is not properly sanitised before being returned to a user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Successful exploitation requires that the target user is logged in as administrator.
The exploit is actually more general than that: for any action that triggers nonce verification, the URL for the "Yes" action is not properly sanitized, and a specially crafted URL can escape from the link's href attribute and inject arbitrary HTML. The "delete" action and the "post" parameter just happen to be the ones used in the example.
Change History (3)
#2
@
17 years ago
- Description modified (diff)
- Summary changed from XSS in 2.1.1 to XSS in 2.1.1 input passed to the "post" parameter in wp-admin/post.php
#3
@
17 years ago
- Description modified (diff)
- Summary changed from XSS in 2.1.1 input passed to the "post" parameter in wp-admin/post.php to XSS in 2.1.1 in AYS for HTTP GET requests
Just clearing up some confusion... some people think that this has something to do with deleting posts because of the specific example that was released. The exploit is more general than that, and it is purely an XSS hole.
[4951] and [4952]