Someone mentioned that the winners of WBT plugin contest have huge security holes, quoting the famous XSS and CSRF attacks that haunt virtually every php script that uses get requests.
I’ve made a small fix to change XSS(though it wouldn’t be able to do any damage), and though CSRF, something that affects almost every php script using get.
My opinion:
Virtually every script that uses a get request has this problem, and I anticipated this, and someone’s making a really big deal out of this, and everyone are scared.
Lunching the attack would require your hostname and a script custom tailored to your blog, and you need to be logged in. And in all probability you’re not important enough
Using nonce:
I won’t be able to use wp_nonce as the firefox extension calls in a url and wp_nonce is only accessible from within the wp install.
Action Taken:
I will release a patch in the weekend with a “paranoid mode”/”vista mode”(haven’t decided on the name) which will bug you to confirm when you’re installing any theme/plugin, fixing the “bug”, but being extremely annoying at the same time. This can be enabled or disabled depending on what the user wants.
Options available to the user:
Use version 0.42 which has only zip file uploading, but no firefox functionality. You can get it at http://anirudhsanjeev.org/projects/oneclick.
Upgrade the plugin when it says it’s available.
Latest Comments
RSS