Date: Fri, 28 Nov 2008 22:39:23 +0100 From: Steffen Joeris <steffen.joeris@...lelinux.de> To: oss-security@...ts.openwall.com Cc: Jeremias Reith <jr@...ss.org> Subject: Re: CVE requset: WordPress XSS vulnerability in RSS Feed Generator Hi > a XSS vulnerability has been discovered in WordPress. > > Vendor info: > http://wordpress.org/development/2008/11/wordpress-265/ > > Detailed information: > http://www.securityfocus.com/archive/1/498652 (Note: It should be > "prior to 2.6.5" in the summary) I might be off here, but doesn't the patch create another XSS by removing wp_specialchars? Cheers Steffen : http://trac.wordpress.org/changeset?old_path=tags%2F2.6.3&old=&new_path=tags%2F2.6.5&new= Download attachment "signature.asc " of type "application/pgp-signature" (198 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.