http://wordpress.org/extend/plugins/securepress-plugin/
While looking around in a Wordpress install, I found this little gem:
line 2218:
Line 2349:
$back is never properly escaped for JS...
They should use json_encode instead.
I can inject arbitrary JavaScript into a post request for the "back" parameter and have it come out in your browser.
Tested on plugin version 8.4.01.
-0xKizano
While looking around in a Wordpress install, I found this little gem:
line 2218:
$back = isset($_POST['back']) ? $_POST['back'] : null;
Line 2349:
<input type="button" value="Cancel"
onclick="eval(\'memos.\'+\''.addcslashes($back,"'").'\')" />
$back is never properly escaped for JS...
They should use json_encode instead.
I can inject arbitrary JavaScript into a post request for the "back" parameter and have it come out in your browser.
Tested on plugin version 8.4.01.
-0xKizano
No comments:
Post a Comment