Indian security researchers Aditya Modha and Samir Shah found a zero-day cross-site scripting (XSS) vulnerability in the recently released WordPress 3.3.
Modha and Shah tested the proof of concept on an Apache server, proving that by simply posting a comment on a WordPress website, an attacker can execute arbitrary code.
The
proof of concept works by posting a comment on the targeted site, replacing the author, email and comment tags with the exact values found in the previous comment using a simple script. The server’s response will generate a
500 internal server error because a duplicate comment will be detected.
The vulnerability seems to affect only Internet Explorer browsers, Firefox, Safari, Chrome and Opera not being susceptible to such an attack.
Webmasters could mitigate the problem by making sure the error page is padded with enough characters so that its size is greater than 512 bytes even after
gzip compression.
Find us on Google+
No user comments yet.
Be the first to express your opinion!
