PHP Warnings when POSTing keys as arrays to wp-login.php

[johnjamesjacoby]

I'm seeing bots filling up my error logs by POSTing to wp-login.php with user_login as an array instead of a string. The user_login value is blindly passed through functions that assume it's a string, like trim(), register_new_user(), reset_password() and so on.

For me, they're hitting /wp-login.php?action=lostpassword, but upon further review, the majority of actions and functions in (and related to) wp-login.php are equally susceptible to a similar log-filling type of attack.

(I'm seeing this on PHP7.1, so it's possible that upped the priority to a warning which is why I'm seeing this now, but it's also possible this is new, or I haven't seen this myself before.)

It is possible to setup web-server rules to prevent malformed values in these fields, but I think it's better for everyone if wp-login.php protect against them at the application level anyways.

FWIW, I am not against modifying $_POST directly in cases like this (where the core code has never supported array values in these keys, there's no imaginable reason for these values to ever not be strings, and a complex plugin stack means other code probably also trusts these values are strings, too.)

To duplicate, send the following $_POST request to the following URL:

URL: http://src.wordpress-develop.dev/wp-login.php?action=lostpassword

POST: user_login['test'] => 'hello'

Somewhat related: #34192

[johnjamesjacoby]

Added a quick duplication step, and edited some grammar and typos.

[johnjamesjacoby]

Request with WP_DEBUG on

[johnjamesjacoby]

Here are some lines from my error log, too:

2017/05/30 08:51:35 [error] 12361#12361: *315413 FastCGI sent in stderr: "PHP message: PHP Warning:  strpos() expects parameter 1 to be string, array given in /srv/www/sites/public/wordpress/wp-login.php on line 290 PHP message: PHP Warning:  trim() expects parameter 1 to be string, array given in /srv/www/sites/public/wordpress/wp-login.php on line 295" while reading response header from upstream, client: ...snip..., server: , request: "POST /wp-login.php?action=lostpassword&h8179w2l=1 HTTP/1.0", upstream: "fastcgi://unix:/var/run/php/php7.1-fpm.sock:", host: "example.org", referrer: "https://example.org/wp-login.php?action=lostpassword"

2017/05/30 08:51:36 [error] 12361#12361: *315429 FastCGI sent in stderr: "PHP message: PHP Warning:  strpos() expects parameter 1 to be string, array given in /srv/www/sites/public/wordpress/wp-login.php on line 290 PHP message: PHP Warning:  trim() expects parameter 1 to be string, array given in /srv/www/sites/public/wordpress/wp-login.php on line 295" while reading response header from upstream, client: ...snip..., server: , request: "POST /wp-login.php?action=lostpassword&qjeb3ilf=1 HTTP/1.0", upstream: "fastcgi://unix:/var/run/php/php7.1-fpm.sock:", host: "example.org", referrer: "https://example.org/wp-login.php?action=lostpassword"

2017/05/30 08:51:38 [error] 12361#12361: *315453 FastCGI sent in stderr: "PHP message: PHP Warning:  strpos() expects parameter 1 to be string, array given in /srv/www/sites/public/wordpress/wp-login.php on line 290 PHP message: PHP Warning:  trim() expects parameter 1 to be string, array given in /srv/www/sites/public/wordpress/wp-login.php on line 295" while reading response header from upstream, client: ...snip..., server: , request: "POST /wp-login.php?action=lostpassword&wyna7f2m=1 HTTP/1.0", upstream: "fastcgi://unix:/var/run/php/php7.1-fpm.sock:", host: "example.org", referrer: "https://example.org/wp-login.php?action=lostpassword"

2017/05/30 08:51:39 [error] 12361#12361: *315463 FastCGI sent in stderr: "PHP message: PHP Warning:  strpos() expects parameter 1 to be string, array given in /srv/www/sites/public/wordpress/wp-login.php on line 290 PHP message: PHP Warning:  trim() expects parameter 1 to be string, array given in /srv/www/sites/public/wordpress/wp-login.php on line 295" while reading response header from upstream, client: ...snip..., server: , request: "POST /wp-login.php?action=lostpassword&lnflscot=1 HTTP/1.0", upstream: "fastcgi://unix:/var/run/php/php7.1-fpm.sock:", host: "example.org", referrer: "https://example.org/wp-login.php?action=lostpassword"

2017/05/30 08:51:40 [error] 12361#12361: *315477 FastCGI sent in stderr: "PHP message: PHP Warning:  strpos() expects parameter 1 to be string, array given in /srv/www/sites/public/wordpress/wp-login.php on line 290 PHP message: PHP Warning:  trim() expects parameter 1 to be string, array given in /srv/www/sites/public/wordpress/wp-login.php on line 295" while reading response header from upstream, client: ...snip..., server: , request: "POST /wp-login.php?action=lostpassword&ic63oe4f=1 HTTP/1.0", upstream: "fastcgi://unix:/var/run/php/php7.1-fpm.sock:", host: "example.org", referrer: "https://example.org/wp-login.php?action=lostpassword"

The additional spammy junk parameters can be ignored for the purposes of this ticket. That's just your regular old run-of-the-mill brute-force dodging technique. :)

[menakas]

Patch to address issue for user_login - use is_string to check value

[jbpaul17]

Punting per today's bug scrub.

[SergeyBiryukov]

In 41782:

Login and Registration: Prevent PHP warnings when POSTing to wp-login.php with an array as a user_login or user_email field.

Props menakas, johnjamesjacoby.
Fixes #40888.