Comments on: WordPress TinyMCE Hack Will Kill Your Blog http://wpcoop.org/wordpress-tinymce-hack-will-kill-your-blog/ Global Association of Wordpress Professionals Mon, 07 Feb 2011 19:29:37 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: Sam http://wpcoop.org/wordpress-tinymce-hack-will-kill-your-blog/comment-page-1/#comment-158 Sam Wed, 20 Oct 2010 08:24:34 +0000 http://wpcoop.org/?p=732#comment-158 I have noticed many queries sniffing for tinymce. It is very likely that there is a hole hackers are sniffing for. -Sam I have noticed many queries sniffing for tinymce. It is very likely that there is a hole hackers are sniffing for.

-Sam

]]> By: Steve http://wpcoop.org/wordpress-tinymce-hack-will-kill-your-blog/comment-page-1/#comment-156 Steve Wed, 29 Sep 2010 09:44:40 +0000 http://wpcoop.org/?p=732#comment-156 I don't think you understand, TinyMCE is pure JavaScript, unless you have installed something "custom", there are plenty of vulnerabilities in 3rd party TinyMCE plugins. With pure Javascript, I mean that the exact same "exploit" could be done even with Javascript turned off in the browser. If you Google a bit, you will see that there are virtually no reported issues with the Wordpress versions you mention (other than actually ISP hosts being hacked). So the question becomes, what is different on your installs compared to a normal Wordpress install? Can you post the execution line you mentioned here? I don’t think you understand, TinyMCE is pure JavaScript, unless you have installed something “custom”, there are plenty of vulnerabilities in 3rd party TinyMCE plugins.

With pure Javascript, I mean that the exact same “exploit” could be done even with Javascript turned off in the browser.

If you Google a bit, you will see that there are virtually no reported issues with the Wordpress versions you mention (other than actually ISP hosts being hacked).

So the question becomes, what is different on your installs compared to a normal Wordpress install?

Can you post the execution line you mentioned here?

]]> By: Jumile http://wpcoop.org/wordpress-tinymce-hack-will-kill-your-blog/comment-page-1/#comment-150 Jumile Mon, 28 Jun 2010 19:53:26 +0000 http://wpcoop.org/?p=732#comment-150 FWIW, I'm seeing a lot of persistent, direct browse attempts to "/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/tinybrowser.php?type=file&folder=" on my blogs (always from Russian IPs, it seems). I really only noticed because of a 'who's online' type plugin I installed recently. There's little doubt that these URLs are deliberate, and TinyMCE does have a history of being an attack vector (e.g. the Joomla version back in 2008 with its example page). So, in short, TinyMCE *was* a vector in the past and may well be again, 'just javascript' or not. FWIW, I’m seeing a lot of persistent, direct browse attempts to “/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/tinybrowser.php?type=file&folder=” on my blogs (always from Russian IPs, it seems). I really only noticed because of a ‘who’s online’ type plugin I installed recently.

There’s little doubt that these URLs are deliberate, and TinyMCE does have a history of being an attack vector (e.g. the Joomla version back in 2008 with its example page). So, in short, TinyMCE *was* a vector in the past and may well be again, ‘just javascript’ or not.

]]> By: felix http://wpcoop.org/wordpress-tinymce-hack-will-kill-your-blog/comment-page-1/#comment-148 felix Mon, 14 Jun 2010 14:59:22 +0000 http://wpcoop.org/?p=732#comment-148 implementing tinymce forces security holes that the developers would rather you not know about implementing tinymce forces security holes that the developers would rather you not know about

]]>