Opened 7 years ago

Closed 7 years ago

#2454 closed defect (bug) (fixed)

Comment URL not cleaned before set in cookie

Reported by: skeltoac Owned by: anonymous
Priority: low Milestone: 2.1
Component: Administration Version: 2.0.1
Severity: trivial Keywords: bg|has-patch
Cc:

Description

The following article claims that this is a security hole. Dougal and I disagree: you can't steal cred cookies with this vector because the URL cookie is only set in the browser of the person submitting the comment, and the affected control only appears when the visitor is not logged in. Anyway, attached is a patch to clean the URL before setting the cookie.

http://myimei.com/security/2006-02-15/wordpress200autors-websitexss-attack.html#more-14

Attachments (1)

clean-comment-url.diff (931 bytes) - added by skeltoac 7 years ago.

Download all attachments as: .zip

Change History (3)

skeltoac7 years ago

comment:1   dougal7 years ago

Looks good to me.

Even though it isn't a real security risk, best to clean that up, just in case. Afer all, it could be an issue on sites that use custom themes, or if there was a plugin that pulled the comment author cookies and diplayed them blindly.

comment:2   ryan7 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [3542]) clean comment author url. fixes #2454

Note: See TracTickets for help on using tickets.