The Latest in IT Security

XSS flaw in WordPress 3.3 – How the smallest things make testing tough

04
Jan
2012

WordPress logoA pair of Indian researchers disclosed a new cross-site scripting (XSS) vulnerability in WordPress 3.3 on Monday.

Another researcher who goes by the name of ethicalhack3r decided to try to replicate their findings using the proof of concept (PoC) code that was posted to pastebin.com.

He couldn’t seem to make it work, so he contacted the original team and explained the trouble he was having and they also had trouble reproducing the problem outside of the one instance they had developed it on.

It turned out to be related to whether a WordPress instance was installed from an IP address (http://127.0.0.1/wp-admin) or using a domain name (http://example.org/wp-admin).

These are the types of problems that keep software QA engineers awake at night.

Who would expect to need to create test cases for whether the initial install was done with an IP versus a name???

Ethicalhack3rEthicalhack3r posted a one line code change that prevents the exploitation, but true to their normal response, WordPress have already patched the bug and released 3.3.1.

If you run your own WordPress site and used an IP address to set it up, I would update to 3.3.1 as soon as possible.

While most WordPress bloggers won’t be at risk from this flaw, why take a chance? WordPress fixed it in 24 hours, why not see if you can patch it in even less?

Leave a reply


Categories

SUNDAY, FEBRUARY 05, 2023
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments