[VIM] Secunia SA32060 - WordPress MU "s" and "ip_address" Cross-Site Scripting Vulnerabilities

Sullo sullo at cirt.net
Wed Oct 1 15:10:56 UTC 2008


WordPress MU "s" and "ip_address" Cross-Site Scripting Vulnerabilities
http://secunia.com/advisories/32060/

Points to this post:
http://lists.grok.org.uk/pipermail/full-disclosure/2008-September/064748.html

>From Post:
"In /wp-admin/wpmu-blogs.php an attacker can inject javascript code,
the input variables "s" and "ip_address" of GET method aren't properly
sanitized  "


>From Secunia Description:
"Input passed to the "s" and "ip_address" parameters in
wp-admin/wp-blogs.php is not properly sanitised before being returned to
the user. This can be exploited to execute arbitrary HTML and script
code in a user's browser session in context of an affected site."

Note the wp-blogs.php vs wpmu-blogs.php. I've confirmed that
"wp-blogs.php" doesn't exist in the MU downloads below 2.6.0, so the
Secunia text is incorrect.

Just wanted to make sure everyone caught that and see if Secunia can
correct.

-Sullo


More information about the VIM mailing list