< and > are not filtered in upload.php
-
Hello together,
i found something strange in the upload.php file of wordpress (newest version).
if i make the following request if im logged in:
http://yourwordpressinstall.tld/wp-admin/upload.php?message=<somehtmltag>
it wont filterd out or not encoded in the queryvars javascript variable…
i hope nobody can exploit this … i just want to inform you…
have a nice day!
Greetings
burncycle -
Hey burncycle23,
You sound to use the self-hosted WordPress version(.org). Please share the link to your website.
It’s important to notice that WordPress.com and WordPress.org and two different platforms. To know more, please read this.
-
-
As I mentioned above, You use the self-hosted WordPress version(.org).
We’re only able to help with the websites hosted on WordPress.com.
Please either contact your web hosting customer support or submit your query to WordPress.org forums.
https://wordpress.org/support/forums/To do so, you need to create an account on WordPress.org.
https://login.wordpress.org/register -
-
-
WordPress is an open source software which is used on both the platforms. But when you have a self-hosted (WordPress.org) website, you use any web hosting company, not WordPress.com.
Whereas WordPress.com is a fully-hosted platform which takes of everything and no user has an access to the core files or any type of code of the website.
As you have mentioned the upload.php file, it means you have access to the WordPress files from your web hosting cPanel.
Please read the difference for more clarification.
-
okay – once again:
i wont access this file through the file system its over the normal webbrowser – for example this:
now i login and then the thing is done :/
– i hope you understand ;)
Greetz
burncycle -
- The topic ‘< and > are not filtered in upload.php’ is closed to new replies.
WordPress.com Forums 