post-page

Comment Rating Plugin Fixes Security Vulnerability

No
responses
by
 
on
December 8th, 2010
in
WordPress Security

If you use the Comment Rating plugin for your WordPress powered site, you are highly encouraged to upgrade to the latest version as it fixes a security vulnerability. More specifically, a Cross-site Request Forgery attack. According to the report at OSVDB.org which is an Open Source Vulnerability Database:

The flaw exists because the application does not require multiple steps or explicit confirmation for unspecified sensitive transactions for the admin function. By using a crafted URL (e.g., a crafted GET request inside an “img” tag), an attacker may trick the victim into clicking on the image to take advantage of the trust relationship between the authenticated victim and the application. Such an attack could trick the victim into executing arbitrary commands in the context of their session with the application, without further prompting or verification.

There is no known workaround for versions lower than 2.9.21. Kudos goes to KrebsOnSecurity for reporting the flaw and to bobking who quickly published a new version with the patch.

heading
heading
No
Responses

 

Comments are closed.

Obviously Powered by WordPress. © 2003-2013

page counter
css.php