Make WordPress Core

Opened 15 years ago

Closed 15 years ago

Last modified 9 years ago

#8291 closed defect (bug) (wontfix)

Missed int casting on wp-admin/users.php (harmless xss?)

Reported by: g30rg3x's profile g30rg3x Owned by: ryan's profile ryan
Milestone: Priority: normal
Severity: trivial Version:
Component: Security Keywords: has-patch commit dev-feedback
Focuses: Cc:

Description

Around Lines 126 to 151...

	if ( empty($_REQUEST['users']) )
		$userids = array(intval($_REQUEST['user']));
	else
		$userids = $_REQUEST['users'];
	...
	foreach ( (array) $userids as $id ) {
		$user = new WP_User($id);
		if ( $id == $current_user->ID ) {
			echo "<li>" . sprintf(__('ID #%1s: %2s <strong>The current user will not be deleted.</strong>'), $id, $user->user_login) . "</li>\n";
		} else {
			echo "<li><input type=\"hidden\" name=\"users[]\" value=\"{$id}\" />" . sprintf(__('ID #%1s: %2s'), $id, $user->user_login) . "</li>\n";
			$go_delete = true;
		}
	}


As we can see on the present code, $id came from either users or user http request variable, user is well casted to integer but users is not so it could lead to and a XSS attack.
However in order to work, the attacker needs at least to know a valid nonce, which is kinda hard so it turns to be a harmless (or poor) XSS.

Attachments (2)

users.php.diff (462 bytes) - added by g30rg3x 15 years ago.
For Trunk
legacy.users.php.diff (515 bytes) - added by g30rg3x 15 years ago.
For Legacy Brach (2.0)

Download all attachments as: .zip

Change History (9)

@g30rg3x
15 years ago

For Trunk

#1 @ryan
15 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [9814]) Cast to int. Props g30rg3x. fixes #8291

#2 @ryan
15 years ago

(In [9815]) Cast to int. Props g30rg3x. fixes #8291

#3 @g30rg3x
15 years ago

  • Keywords 2nd-opinion removed
  • Resolution fixed deleted
  • Severity changed from minor to trivial
  • Status changed from closed to reopened

Sorry for reopening the ticket...
But legacy branch (2.0) has the same defect.

#4 @g30rg3x
15 years ago

  • Milestone changed from 2.7 to 2.0.12
  • Version 2.7 deleted

Forget to change Milestone and version.

@g30rg3x
15 years ago

For Legacy Brach (2.0)

#5 @DD32
15 years ago

  • Keywords commit dev-feedback added

Is this going to be applied to the legacy branch at all? commit or wontfix please :)

#6 @Denis-de-Bernardy
15 years ago

  • Resolution set to wontfix
  • Status changed from reopened to closed

#7 @DrewAPicture
9 years ago

  • Milestone 2.0.12 deleted
Note: See TracTickets for help on using tickets.