Ticket #8291 (reopened defect (bug))

Opened 2 months ago

Last modified 2 weeks ago

Missed int casting on wp-admin/users.php (harmless xss?)

Reported by: g30rg3x Assigned to: ryan
Priority: normal Milestone: 2.0.12
Component: Security Version:
Severity: trivial Keywords: has-patch commit dev-feedback
Cc:

Description

Around Lines 126 to 151...

	if ( empty($_REQUEST['users']) )
		$userids = array(intval($_REQUEST['user']));
	else
		$userids = $_REQUEST['users'];
	...
	foreach ( (array) $userids as $id ) {
		$user = new WP_User($id);
		if ( $id == $current_user->ID ) {
			echo "<li>" . sprintf(__('ID #%1s: %2s <strong>The current user will not be deleted.</strong>'), $id, $user->user_login) . "</li>\n";
		} else {
			echo "<li><input type=\"hidden\" name=\"users[]\" value=\"{$id}\" />" . sprintf(__('ID #%1s: %2s'), $id, $user->user_login) . "</li>\n";
			$go_delete = true;
		}
	}


As we can see on the present code, $id came from either users or user http request variable, user is well casted to integer but users is not so it could lead to and a XSS attack.
However in order to work, the attacker needs at least to know a valid nonce, which is kinda hard so it turns to be a harmless (or poor) XSS.

Attachments

users.php.diff (462 bytes) - added by g30rg3x on 11/20/08 09:03:33.
For Trunk
legacy.users.php.diff (0.5 kB) - added by g30rg3x on 11/20/08 19:06:53.
For Legacy Brach (2.0)

Change History

11/20/08 09:03:33 changed by g30rg3x

  • attachment users.php.diff added.

For Trunk

11/20/08 17:26:52 changed by ryan

  • status changed from new to closed.
  • resolution set to fixed.

(In [9814]) Cast to int. Props g30rg3x. fixes #8291

11/20/08 17:27:08 changed by ryan

(In [9815]) Cast to int. Props g30rg3x. fixes #8291

11/20/08 18:49:37 changed by g30rg3x

  • keywords changed from has-patch, 2nd-opinion to has-patch.
  • status changed from closed to reopened.
  • resolution deleted.
  • severity changed from minor to trivial.

Sorry for reopening the ticket...
But legacy branch (2.0) has the same defect.

11/20/08 18:56:44 changed by g30rg3x

  • version deleted.
  • milestone changed from 2.7 to 2.0.12.

Forget to change Milestone and version.

11/20/08 19:06:53 changed by g30rg3x

  • attachment legacy.users.php.diff added.

For Legacy Brach (2.0)

12/29/08 06:50:40 changed by DD32

  • keywords changed from has-patch to has-patch commit dev-feedback.

Is this going to be applied to the legacy branch at all? commit or wontfix please :)