Bug for Get a Blog Signup Page

• 

  eligrey · Member · May 18, 2008 at 8:28 pm

  • Copy link
  • Add topic to favorites

  Going to an unregistered subdomain of wordpress.com can show your user account in the blog domain text box and in the blog title text box if you add /wp-admin/ to the end of the url. I think someone might think of some kind of xss to exploit this. It also only seems to work when the subdomain is exactly 6 characters long.
  Example urls:

  • http://glitch.wordpress.com/wp-admin/
  • http://omgwtf.wordpress.com/wp-admin/
• 

  eligrey · Member · May 18, 2008 at 8:32 pm

  • Copy link

  Edit: I also just noticed it won’t work if there are numbers, underscores, or dashes in the subdomain.
  And it seems that if there are four or two characters, like http://cake.wordpress.com/wp-admin/ and http://hi.wordpress.com/wp-admin/, the glitch is also triggered.

• 

  vivianpaige · Member · May 18, 2008 at 9:06 pm

  • Copy link

  Not working for me. They just take me to my dashboard.

• 

  mark · Member · May 18, 2008 at 9:42 pm

  • Copy link

  If you go to a non-existent blog like that it opens the signup page already filled in.

• 

  eligrey · Member · May 18, 2008 at 10:20 pm

  • Copy link

  Yeah, but it’s filled in with your current user account name if you visit some of them. For me they are automatically filled with “sephr”

• 

  singularcontiguity · Member · May 18, 2008 at 10:38 pm

  • Copy link

  Only if you’re logged in. Log out and try it again, with something like “gggrrrrrr.wordpress.com/wp-admin”, and you’ll get “gggrrrrrr” filled in.