Users without unfiltered_html capability can post arbitrary html

[xknown]

The user only needs to tamper data sent to post.php or page.php and add a field named no_filter with any value.

[xknown]

Unset $_POSTno_filter? in write_post and edit_post

[xknown]

The attached file is a proposed fix for 2.2 branch, I hope this ticket gets more attention now.

[JeremyVisser]

I can't reproduce on WP 2.2.2. Can you provide exact steps to reproduce this? Are you sure this happens on a fresh installation of WordPress? Perhaps a plugin is causing this?

Trunk is definitely not vulnerable, as grepping the source tree doesn't return anything for a search of 'no_filter'.

[westi]

Replying to JeremyVisser:

I can't reproduce on WP 2.2.2. Can you provide exact steps to reproduce this? Are you sure this happens on a fresh installation of WordPress? Perhaps a plugin is causing this?

Trunk is definitely not vulnerable, as grepping the source tree doesn't return anything for a search of 'no_filter'.

Trunk is vulnerable - search for $no_filter for more info.

[xknown]

Replying to JeremyVisser:

I can't reproduce on WP 2.2.2. Can you provide exact steps to reproduce this? Are you sure this happens on a fresh installation of WordPress? Perhaps a plugin is causing this?

Trunk is definitely not vulnerable, as grepping the source tree doesn't return anything for a search of 'no_filter'.

Try the following ​bookmarklet on wp-admin/post-new.php, it should work on WP 2.2.x

[Otto42]

I just checked out a fresh copy of trunk from svn and the text "no_filter" does not appear anywhere in it whatsoever. grep -i -r no_filter * returned no results.

This has got to be a problem with a plugin or something. Even if no_filter is set and even if you have register_globals on to turn it into $no_filter, there's no check for $no_filter anywhere in the code.

Marked as invalid.

[westi]

This is fixed on trunk.

But 2.2 has the no_filter code still it was removed for 2.3 in the changes for #4620 I think.

[Otto42]

Okay, I see the $no_filter in wp-includes/post.php, however I still fail to see how this would be expected to work. Nothing sets $no_filter anywhere. You might be able to set it if you had register_globals on (which no sane host has), however wp_unregister_GLOBALS() should unset $no_filter even in that case, when wp-settings.php gets included.

I see no possible way that this can actually work, even with 2.2.2. What am I missing here?

[Otto42]

Question to xknown (original submitter): Have you actually done this and made it work? Can you provide exact reproduction details? Or is this a purely theoretical thing you found while looking through the code?

Because I just tried it with a local install of 2.2.2 and was unable to reproduce it.

[Otto42]

Edit: AH HA! Okay, it only works when you use POST parameters. It will not work with GET parameters. register_globals is not required.

The problem is this line in admin-functions.php:
$post_ID = wp_insert_post( $_POST );

That's unsafe, you're passing $_POST directly to wp_insert_post, which then goes on to do an extract() on the variable, setting any local function variables you like.

The $_POST should be filtered for valid parameters in some fashion before passing it off to wp_insert_post().

[ryan]

xknown's patch looks like it will suffice for 2.2. 2.3 has already removed no_filter.

[ryan]

(In [6018]) Unset no_filter. Props xknown. fixes #4720