Comments on: Security issue or not ? http://alexrabe.de/2008/06/18/security-issue-or-not/ ALEX RABE | learning by doing... Thu, 17 May 2012 09:30:33 +0000 hourly 1 http://wordpress.org/?v=3.3.2 By: Sjon http://alexrabe.de/2008/06/18/security-issue-or-not/#comment-16721 Sjon Fri, 11 Jul 2008 15:14:25 +0000 http://alexrabe.de/2008/06/18/security-issue-or-not/#comment-16721 Alex, if you're using all available anti-hackery wordpress provides, you've probably done most you can... My comment was more ment to "enlighten" people on what is a vulnerability and what not... Daniel, like I said, it’s been a long while... ;-) I've put brushing up on xss/csrf/et al on my todo list... Alex, if you’re using all available anti-hackery wordpress provides, you’ve probably done most you can… My comment was more ment to “enlighten” people on what is a vulnerability and what not…

Daniel, like I said, it’s been a long while… ;-) I’ve put brushing up on xss/csrf/et al on my todo list…

]]> By: Daniel Hepper http://alexrabe.de/2008/06/18/security-issue-or-not/#comment-16690 Daniel Hepper Tue, 08 Jul 2008 21:33:54 +0000 http://alexrabe.de/2008/06/18/security-issue-or-not/#comment-16690 Sjon, you are mixing up XSS and CSRF. http://en.wikipedia.org/wiki/CSRF Sjon, you are mixing up XSS and CSRF.
http://en.wikipedia.org/wiki/CSRF

]]> By: alex.rabe http://alexrabe.de/2008/06/18/security-issue-or-not/#comment-16596 alex.rabe Sun, 06 Jul 2008 09:41:24 +0000 http://alexrabe.de/2008/06/18/security-issue-or-not/#comment-16596 Sjon, Mike, thanks for your comments. I reviewed many times my code for XSS,RFI,SQL Injection and more. I'm sure that I didn't find all things, but I'm doing my best. In this case the reporter said that it's possible to include javascript in description field. That's correct if he has access to the blog/manage gallery page. Sjon, in your case H.Acker must place on his page a hidden POST submit to the manage gallery page. So that Alex (the admin) without is knowledge add the evil script code. But this is not possible unless H.Acker have the correct WordPress Nonce (http://markjaquith.wordpress.com/2006/06/02/wordpress-203-nonces/), which I implement on each admin page. If this is not enough security at all, let me ask why nobody claim that JavaScript code can be implemented on each page/post ? Sjon, Mike,
thanks for your comments.

I reviewed many times my code for XSS,RFI,SQL Injection and more. I’m sure that I didn’t find all things, but I’m doing my best. In this case the reporter said that it’s possible to include javascript in description field. That’s correct if he has access to the blog/manage gallery page.

Sjon, in your case H.Acker must place on his page a hidden POST submit to the manage gallery page. So that Alex (the admin) without is knowledge add the evil script code. But this is not possible unless H.Acker have the correct WordPress Nonce (http://markjaquith.wordpress.com/2006/06/02/wordpress-203-nonces/), which I implement on each admin page.

If this is not enough security at all, let me ask why nobody claim that JavaScript code can be implemented on each page/post ?

]]>