WordPress.org

Make WordPress Core

Ticket #49641: poc.php

File poc.php, 2.3 KB (added by growthwp, 14 months ago)

PoC

Line 
1<?php
2//Change these based on what user ids your registered users have.
3$user_1_id = 1;
4$user_2_id = 2;
5
6/**
7 * When we create an user, let's assume we attach a secret access key to his user ID, under the meta_key 'access_key'.
8 *
9 * We ask the user for this key every time he wants to do something.
10 */
11update_user_meta( $user_1_id, 'access_key', 'eiZurewj$ez24pP' );
12update_user_meta( $user_2_id, 'access_key', 'xcrpsokfoipu35oE' );
13
14/**
15 * This is the key that he provides us.
16 */
17$secret_key_from_frontend = 'eiZurewj$ez24pP';
18
19$all_users_ids = get_users([
20    'fields' => 'id',
21    'meta_key' => 'access_key',
22    'meta_compare' => '=',
23    'meta_value' => $secret_key_from_frontend
24]);
25
26/**
27 * We loop through a supposedly safe & accurate list of users that match both the meta_key/value pair.
28 * It should be only give us '1'.
29 */
30echo "User ids that correspond to the correct secret key:";
31//Should only return 1.
32foreach( $all_users_ids as $user_id ) {
33    echo $user_id;
34    echo " ";
35
36    //Do some sensitive stuff with this, since we "know" the user has the secret key for a specific user id.
37}
38
39echo "<br>";
40
41/**
42 * So, let's go ahead and mess with it by making the meta_value empty.
43 */
44
45$evil_key = '';
46
47$evil_user_ids = get_users([
48    'fields' => 'id',
49    'meta_key' => 'access_key',
50    'meta_compare' => '=',
51    'meta_value' => $evil_key
52]);
53
54echo "User ids that correspond to the evil, empty-space key:";
55//Returns 1,2...
56foreach( $evil_user_ids as $evil_user_id ) {
57    echo $evil_user_id;
58    echo " ";
59
60    //Do some sensitive stuff with this, only this time, we got tricked, we're doing the same operation for all users.
61}
62
63
64echo "However, let us see what happens when False is provided for the meta value.";
65$proper_user_ids = get_users([
66    'fields' => 'id',
67    'meta_key' => 'access_key',
68    'meta_compare' => '=',
69    'meta_value' => False
70]);
71
72echo "User ids that correspond to the evil, empty-space key:";
73//Returns nothing.
74foreach( $proper_user_ids as $proper_user_id ) {
75    echo $proper_user_id;
76    echo " ";
77
78    //Do some sensitive stuff with this, only this time, we got tricked, we're doing the same operation for all users.
79}
80
81echo "Well, nothing, as it should, but, we are expecting that '' would achieve the same thing.";