Opened 13 years ago
Closed 13 years ago
#11777 closed defect (bug) (fixed)
ms-edit.php / addblog action improperly sanitizes domains
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Milestone: | 3.0 | Priority: | normal |
| Severity: | normal | Version: | 3.0 |
| Component: | Security | Keywords: | |
| Focuses: | multisite | Cc: |
Description
it uses sanitize_user in non-strict mode with a twist:
$domain = sanitize_user( str_replace( '/', '', $blog[ 'domain' ] ) );
as I read sanitize_user, this can allow for subdomains with improper characters in them.
Change History (10)
#5
in reply to:
↑ 2
@
13 years ago
Replying to Denis-de-Bernardy:
ms-options.php has a slightly different approach to sanitization, which is equally bug prone:
$blogname = untrailingslashit( sanitize_user( str_replace( '.', , str_replace( $current_site->domain . $current_site->path, , $details->domain . $details->path ) ) ) );
That's for display only. If the dashboard blog is dashboard.domain.com or domain.com/dashboard, then dashboard is shown in the textbox.
#7
follow-up:
↓ 9
@
13 years ago
doesn't r13630 allow a completely unsanitized domain name to go in provided it contains -- in it? such as:
evil--<script src="http://evil.com/xss.js"></script>
#9
in reply to:
↑ 7
@
13 years ago
Replying to Denis-de-Bernardy:
doesn't r13630 allow a completely unsanitized domain name to go in provided it contains -- in it? such as:
evil--<script src="http://evil.com/xss.js"></script>
It would block that. See line 139
if ( ! preg_match( '/(--)/', $blog[ 'domain' ] ) && preg_match( '|^([a-zA-Z0-9-])+$|', $blog[ 'domain' ] ) )
The only characters allowed in the domain name are a-zA-Z0-9-.
ms-options.php has a slightly different approach to sanitization, which is equally bug prone:
$blogname = untrailingslashit( sanitize_user( str_replace( '.', , str_replace( $current_site->domain . $current_site->path, , $details->domain . $details->path ) ) ) );