Red Hat Bugzilla – Bug 235015
CVE-2007-1732: wordpress mt import XSS
Last modified: 2007-11-30 17:12:01 EST
"** DISPUTED ** Cross-site scripting (XSS) vulnerability in an mt import in
wp-admin/admin.php in WordPress 2.1.2 allows remote authenticated administrators
to inject arbitrary web script or HTML via the demo parameter. NOTE: the
provenance of this information is unknown; the details are obtained solely from
third party information. NOTE: another researcher disputes this issue, stating
that this is legitimate functionality for administrators. However, it has been
patched by at least one vendor."
Posted for maintainer assessment whether this is a feature or a bug, and whether
it affects current FE releases. FWIW, Gentoo has patched it.
This looks to me like a valid feature - it requires authentication and willing
interaction on the part of the authenticated individual to exploit. I can't
really call someone who knowingly and willingly uses such a feature a "victim".
Although I can see where some would consider this a bug, I don't. If someone
can point out a scheme whereby this would be a problem, I'm willing to be
convinced otherwise, but until then, CLOSED-NOTABUG
Just some general data points for consideration, I'm not necessarily disagreeing
with comment 1:
Missing/ineffective cross site request forgery preventation measures would
invalidate the "knowing/willing" assumption. But if I understand correctly,
Wordpress's admin UI has that protection.
Requiring authentication and willing interaction doesn't IMO make this a feature
if the goal was not to provide a possibility for injection of arbitrary markup
or scripts; it just affects the attack vectors.