AOH :: Web :: Blogs :: TB10684.HTM

AOH :: Web :: Blogs :: TB10684.HTM
Wordpress All versions XSS

Wordpress All versions XSS Wordpress All versions XSS


Advisory by Jose Carlos Norte

Wordpress is vulnerable to XSS attacks when custom 404 pages are used by the template.

The problem (sidebar.php):



if wordpress template use custom 404 pages, like:




        

                Error 404 - Not Found

        



$_SERVER['PHP_SELF']; can contain special characters to break out html and perform XSS attacks, example:

 

if no custom 404 page set by wordpress theme this attacks is not posible.

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better). Site design & layout copyright © 1986-2009 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.