XSS flaw in WordPress 3.3 - How the smallest things make testing tough

Filed Under: Featured, Vulnerability

WordPress logoA pair of Indian researchers disclosed a new cross-site scripting (XSS) vulnerability in WordPress 3.3 on Monday.

Another researcher who goes by the name of ethicalhack3r decided to try to replicate their findings using the proof of concept (PoC) code that was posted to pastebin.com.

He couldn't seem to make it work, so he contacted the original team and explained the trouble he was having and they also had trouble reproducing the problem outside of the one instance they had developed it on.

It turned out to be related to whether a WordPress instance was installed from an IP address (http://127.0.0.1/wp-admin) or using a domain name (http://example.org/wp-admin).

These are the types of problems that keep software QA engineers awake at night.

Who would expect to need to create test cases for whether the initial install was done with an IP versus a name???

Ethicalhack3rEthicalhack3r posted a one line code change that prevents the exploitation, but true to their normal response, WordPress have already patched the bug and released 3.3.1.

If you run your own WordPress site and used an IP address to set it up, I would update to 3.3.1 as soon as possible.

While most WordPress bloggers won't be at risk from this flaw, why take a chance? WordPress fixed it in 24 hours, why not see if you can patch it in even less?

, , ,

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.