Update: It will work only if you are logged in. Sorry for the false alarm. My intention were to alert the bloggers so that they could safeguard their blogs. For more details Click Here
Bad news for just about every WordPress blogger out there. Thousands of WordPress 3.2.1 installations are at risk of being compromised. It has been found that the latest version 3.2.1 of WordPress, an extremely popular suite of tools for powering blogs, is vulnerable to XSS injection attack which allows users to inject malicious JavaScript as a result of failure in sanitizing the comments field. Without discussing much about what this vulnerability could do to your blog I will jump to how it works and the solution.
Inject one of the below codes into the comment field of the target. Or use your brain to make a more powerful injection
Popup “alert” Box
Redirect to www.hungry-hackers.com
Cookie Stealer (need a logging system in place)
Upgrade to the latest version when available, In the meantime disable comments or hold comments for moderation as I did 
You might be interested in the following Articles False Alarm: XSS Vulnerability in WordPress 3.2.1Are you Vulnerable to Shell or SQL Injection?List of all the SQL Injection StringsCookie Stealing for fun and profit43 Excellent WordPress Security Tips & PluginsTop 15 SQL Injection ScannersSQL Injection Using HavijCreate a CookieLogger and Hack any Account
No comments:
Post a Comment