Ticket #10733 (closed defect (bug): duplicate)

Opened 2 years ago

Last modified 2 years ago

Eval()'ed string not escaped properly

Reported by: sirzooro Owned by: ryan
Priority: high Milestone:
Component: Security Version: 2.8.4
Severity: major Keywords: has-patch
Cc:

Description

There is a problem with permalinks, which is the root cause of last series of attacks on WordPresses. URL rewrite engine does not escape dollar signs in rules generated from permalink format, so it is possible to inject PHP code using specially crafted permalink format. There are two places where eval() is called: classes.php:219 and rewrite.php:302. These dollar signs should be escaped during rule generation, in generate_rewrite_rules() - attached patch does this.

You can also consider adding code to remove dollars from permalink format if someone will enter it on options screen (when options are saved), or even better to validate if all %something% tags consists of letters, numbers and underscores only (and maybe dashes too).

Attachments

rewrite.php.diff Download (500 bytes) - added by sirzooro 2 years ago.

Change History

sirzooro2 years ago

comment:1   dd322 years ago

  • Status changed from new to closed
  • Resolution set to duplicate
  • Milestone 2.8.5 deleted

see: [11891]: Replace eval usage in request processing with new WP_MatchesMapRegex() class usage. Fixes #9602 for 2.8 branch props hakre.

Note: See TracTickets for help on using tickets.