'Cross-site script'에 해당되는 글 2건

  1. 2017.10.03 워드프레스 4.8.2 출시 - 보안 패치 요약
  2. 2010.08.30 Microsoft Korea website is vulnerable to XSS attack

오픈 소스 기반의 블로그 서비스인 워드프레스(WordPress)에서 다수의 보안 취약점이 발견되었으며, 이러한 문제 해결을 포함하는 4.8.2 버전이 출시되었다.


WordPress 4.8.2에서 해결한 보안 취약점은 다음과 같다.


  1. $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi). WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability. Reported by Slavco

  2. A cross-site scripting (XSS) vulnerability was discovered in the oEmbed discovery. Reported by xknown of the WordPress Security Team.

  3. A cross-site scripting (XSS) vulnerability was discovered in the visual editor. Reported by Rodolfo Assis (@brutelogic) of Sucuri Security.

  4. A path traversal vulnerability was discovered in the file unzipping code. Reported by Alex Chapman (noxrnet).

  5. A cross-site scripting (XSS) vulnerability was discovered in the plugin editor. Reported by 陈瑞琦 (Chen Ruiqi).

  6. An open redirect was discovered on the user and term edit screens. Reported by Yasin Soliman (ysx).

  7. A path traversal vulnerability was discovered in the customizer. Reported by Weston Ruter of the WordPress Security Team.

  8. A cross-site scripting (XSS) vulnerability was discovered in template names. Reported by Luka (sikic).

  9. A cross-site scripting (XSS) vulnerability was discovered in the link modal. Reported by Anas Roubi (qasuar).



취약점은 대부분 SQL Injection과 Cross-site Script로 OWASP Top 10에서 선두에 위치하는 심각한 문제점이다.


따라서, 하위 버전 사용자들은 빠른 시일내에 최신 버전으로 업데이트하길 권고한다.



출처: https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/


reTweet
Posted by 문스랩닷컴
blog comments powered by Disqus
    Microsoft Korea website(http://www.microsoft.co.kr/dynamic/ko/kr) is vulnerable to cross-site scripting(XSS).

    Combining phishing technique when exploiting XSS vulnerability, therefore could lead to series security breaches or neak personal informations.


    On May, I published that Microsoft website contailed SQL Injection vulnerability. This issue seemed to be resolved silently.

    link: http://moonslab.com/930


    reTweet
    Posted by 문스랩닷컴
    blog comments powered by Disqus


      Web Analytics Blogs Directory