WordPress.org

Make WordPress Core

Opened 5 years ago

Closed 5 years ago

#10733 closed defect (bug) (duplicate)

Eval()'ed string not escaped properly

Reported by: sirzooro Owned by: ryan
Milestone: Priority: high
Severity: major Version: 2.8.4
Component: Security Keywords: has-patch
Focuses: Cc:

Description

There is a problem with permalinks, which is the root cause of last series of attacks on WordPresses. URL rewrite engine does not escape dollar signs in rules generated from permalink format, so it is possible to inject PHP code using specially crafted permalink format. There are two places where eval() is called: classes.php:219 and rewrite.php:302. These dollar signs should be escaped during rule generation, in generate_rewrite_rules() - attached patch does this.

You can also consider adding code to remove dollars from permalink format if someone will enter it on options screen (when options are saved), or even better to validate if all %something% tags consists of letters, numbers and underscores only (and maybe dashes too).

Attachments (1)

rewrite.php.diff (500 bytes) - added by sirzooro 5 years ago.

Download all attachments as: .zip

Change History (2)

sirzooro5 years ago

comment:1 dd325 years ago

  • Milestone 2.8.5 deleted
  • Resolution set to duplicate
  • Status changed from new to closed

see: [11891]: Replace eval usage in request processing with new WP_MatchesMapRegex() class usage. Fixes #9602 for 2.8 branch props hakre.

Note: See TracTickets for help on using tickets.