Comments on: Wordpress Vulnerability, CSRF/XSS Details http://www.justinshattuck.com/2007/03/02/wordpress-vulnerability-csrfxss-details/ mental diuretic Wed, 20 Aug 2008 18:31:22 +0000 http://wordpress.org/?v=2.0.7 by: Stefan Friedli http://www.justinshattuck.com/2007/03/02/wordpress-vulnerability-csrfxss-details/#comment-5494 Mon, 05 Mar 2007 09:03:16 +0000 http://www.justinshattuck.com/2007/03/02/wordpress-vulnerability-csrfxss-details/#comment-5494 Hi Justin You're mixing up two things here: First issue is a lack of input validation for various parameters in the regular release of wordpress that I described in my advisory you linked in your article. The second thing you're mentioning is the maliciously manipulated version of 2.1.1 that was available from Wordpress official download site for a while due to a badly secured server. Several files of this distribution were backdoored by the intruder, so mod_security won't most possibly save your a** there ;). Cheers Stefan Hi Justin

You’re mixing up two things here: First issue is a lack of input validation for various parameters in the regular release of wordpress that I described in my advisory you linked in your article.

The second thing you’re mentioning is the maliciously manipulated version of 2.1.1 that was available from Wordpress official download site for a while due to a badly secured server. Several files of this distribution were backdoored by the intruder, so mod_security won’t most possibly save your a** there ;).

Cheers
Stefan

]]>