N/A

moxieplayer.as in Moxiecode moxieplayer, as used in the TinyMCE Media plugin in WordPress before 3.5.2 and other products, does not consider the presence of a # (pound sign) character during extraction of the QUERY_STRING, which allows remote attackers to pass arbitrary parameters to a Flash application, and conduct content-spoofing attacks, via a crafted string after a ? (question mark) character.

N/A

N/A

WordPress 内容欺骗漏洞

WordPress是WordPress软件基金会的一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。 WordPress 3.5.1之前的版本和其他产品中的TinyMCE Media插件中使用的Moxiecode moxieplayer中的moxieplayer.as中存在漏洞，该漏洞源于程序在解析QUERY_STRING内容的过程中没有将 ‘#’（井号）字符之后的内容忽略，导致远程攻击者可通过在‘？’字符之后构造特制的URL利用该漏洞传送任意参数到Flash应用

N/A

N/A