WordPress MU< 2.7交叉网站脚本安全漏洞
发布者 DK
2009年3月19日
交叉网站脚本安全漏洞
胡安拉腊已发布详细问题的一个安全漏洞,WordPress MU版本小于 2.7都受到影响。
根据有关咨询2.7版不受影响。因此,如果您已升级到2.7 ,您完全可以忽略此问题。
漏洞细节
WordPress MU之前2.7版没有主机标识头中正确使用choose_primary_blog功能,因此,被特殊编辑得以以跨站脚本攻击。
网站基于名称运行的虚拟主机的安装不会受到影响,原因是他们没有缺省的虚拟主机。
更多信息
更多有关此漏洞可在这里:
http://www.milw0rm.com/exploits/8196
修订信息
最新版本的WordPress MU可点这里下载。
感谢胡安告诉我们这个重要问题。
原文:
WordPress MU < 2.7 Cross Site Scripting Vulnerability
Posted by DK
March 19, 2009
Cross Site Scripting Vulnerability
Juan Galiana Lara has released details regarding a vulnerability that affects WordPress MU versions < 2.7.
Version 2.7 is NOT affected according to the advisory. So if you have upgraded to 2.7 you can ignore this advisory.
Vulnerability Details
WordPress MU prior to version 2.7 fails to sanitize the Host header correctly in choose_primary_blog function and is therefore prune to XSS attacks.
Web Sites running in a name based virtual hosting setup are not affected while they are not the default virtual host.
More information
More information regarding this vulnerability is available here:
http://www.milw0rm.com/exploits/8196
Fix information
The latest version of WordPress MU is available here.
Thanks to Juan for informing us of this issue.