Opened 2 years ago

Last modified 5 days ago

#17737 new defect (bug)

Be better at forcing data types for query vars

Reported by: juliobox Owned by:
Priority: normal Milestone: Future Release
Component: Query Version: 3.0
Severity: normal Keywords: has-patch
Cc:

Description

I already email this flaw to security@… but Andrew Nacin told me that this is not a WordPress flaw, but php server config flaw. So i post this here now.

Exploit : http://WEBSITE.COM/?author[]=1
Problem : FPD (https://www.owasp.org/index.php/Full_Path_Disclosure)
Solution : Add this "@ini_set('display_errors', 0);" or this "error_reporting(0);" in the end of wp-config.php file.
Patch :
1) wp-includes/query.php line 2239
Replace

$q['author'] = (string)urldecode($q['author']);

by

if ( is_array( $q['author'] ) ) {
$q['author'] = $q['author'][0];
}
$q['author'] = (string)urldecode($q['author']);

2) wp-includes/canonical.php line 142
Replace 

} elseif ( is_author() && !empty($_GET['author']) && preg_match( '|^[0-9]+$|', $_GET['author'] ) ) {

by

} elseif ( is_author() && !empty($_GET['author']) && preg_match( '|^[0-9]+$|', !is_array($_GET['author']) ? $_GET['author'] : $_GET['author'][0] ) ) {


Julio - http://www.boiteaweb.fr

Attachments (2)

17737.patch (519 bytes) - added by xknown 2 years ago.
urldecode returns a string, move the cast to the right place
17737.2.patch (1.5 KB) - added by SergeyBiryukov 20 months ago.

Download all attachments as: .zip

Change History (13)

comment:1   nacin2 years ago

  • Component changed from Security to Query
  • Severity changed from major to normal

The bug here being that we should be checking or forcing data types on a number of query vars, (such as author, p, post, etc, that only take integers).

comment:2 follow-up: ↓ 3   juliobox2 years ago

FPD is considered as an attack by OWASP, this is not to be taken lightly.

Thank you for your responses Nacin :)

comment:3 in reply to: ↑ 2   nacin2 years ago

Replying to juliobox:

FPD is considered as an attack by OWASP, this is not to be taken lightly.

We know, but path disclosure via PHP errors is a server configuration issue, not an application issue.

comment:4   juliobox2 years ago

I do not want to argue but I do not agree with "path disclosure via PHP errors is a server configuration issue, not an application issue" :]

xknown2 years ago

urldecode returns a string, move the cast to the right place

comment:5   nacin2 years ago

  • Summary changed from Full Path Disclosure to Be better at forcing data types for query vars
  • Version changed from 3.2 to 3.0

SergeyBiryukov20 months ago

comment:6   SergeyBiryukov20 months ago

  • Keywords has-patch added

17737.2.patch handles author, cat and orderby. Other int query vars don't seem to throw notices when being passed as an array.

Probably need to handle author_name and category_name (they also throw notices in that case).

comment:7   nacin4 months ago

  • Milestone changed from Awaiting Review to 3.6

I think 's' also throws a warning.

comment:8   SergeyBiryukov3 months ago

#23425 was marked as a duplicate.

comment:9   SergeyBiryukov3 months ago

#23425 mentions ?page[] and ?s[].

comment:10   dave10103 months ago

I believe this patch will still show a notice. From the PHP 5.4 changelog:

Changed silent conversion of array to string to produce a notice.

$ php -r '(string)[];'

PHP Notice: Array to string conversion in Command line code on line 1

comment:11   ryan5 days ago

  • Milestone changed from 3.6 to Future Release
Note: See TracTickets for help on using tickets.