xss

1. The culprit code is in the functions.php.
2.  
3. .button {
4. background: #f2f2f2 url(<?php echo wp_guess_url(); ?>/wp-admin/images/white-grad.png) repeat-x scroll left top;
5. }
6.  
7. .button:active {
8. background: #eee url(<?php echo wp_guess_url(); ?>/wp-admin/images/white-grad-active.png) repeat-x scroll left top;
9. }
10.  
11.  
12. function wp_guess_url() {
13. if ( defined('WP_SITEURL') && '' != WP_SITEURL ) {
14. $url = WP_SITEURL;
15. } else {
16. $schema = is_ssl() ? 'https://' : 'http://';
17. $url = preg_replace('|/wp-admin/.*|i', '', $schema . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
18. }
19. return rtrim($url, '/');
20. }
21.  
22. Does the following make any difference ??? am puzzled
23.  
24. Server: Apache/2.2.14 (Ubuntu)
25. X-Powered-By: PHP/5.3.2-1ubuntu4 ----> Oldman case
26.  
27. Server: Apache/2.2.20 (Ubuntu)
28. X-Powered-By: PHP/5.3.6-13ubuntu3.2 ----> ethicalhack3r case