WordPress.org

Make WordPress Core

Opened 9 years ago

Closed 9 years ago

#4720 closed defect (bug) (fixed)

Users without unfiltered_html capability can post arbitrary html

Reported by: xknown Owned by:
Milestone: 2.2.3 Priority: high
Severity: major Version: 2.2.2
Component: Security Keywords: has-patch
Focuses: Cc:

Description

The user only needs to tamper data sent to post.php or page.php and add a field named no_filter with any value.

Attachments (1)

admin-functions.php.diff (635 bytes) - added by xknown 9 years ago.
Unset $_POSTno_filter? in write_post and edit_post

Download all attachments as: .zip

Change History (15)

@xknown
9 years ago

Unset $_POSTno_filter? in write_post and edit_post

#1 @xknown
9 years ago

The attached file is a proposed fix for 2.2 branch, I hope this ticket gets more attention now.

#2 follow-up: @JeremyVisser
9 years ago

I can't reproduce on WP 2.2.2. Can you provide exact steps to reproduce this? Are you sure this happens on a fresh installation of WordPress? Perhaps a plugin is causing this?

Trunk is definitely not vulnerable, as grepping the source tree doesn't return anything for a search of 'no_filter'.

#3 in reply to: ↑ 2 ; follow-up: @westi
9 years ago

Replying to JeremyVisser:

I can't reproduce on WP 2.2.2. Can you provide exact steps to reproduce this? Are you sure this happens on a fresh installation of WordPress? Perhaps a plugin is causing this?

Trunk is definitely not vulnerable, as grepping the source tree doesn't return anything for a search of 'no_filter'.

Trunk is vulnerable - search for $no_filter for more info.

#4 @Nazgul
9 years ago

  • Milestone set to 2.2.3

#5 @Nazgul
9 years ago

  • Keywords has-patch added
  • Priority changed from normal to high
  • Severity changed from normal to major

#6 in reply to: ↑ 3 @xknown
9 years ago

Replying to JeremyVisser:

I can't reproduce on WP 2.2.2. Can you provide exact steps to reproduce this? Are you sure this happens on a fresh installation of WordPress? Perhaps a plugin is causing this?

Trunk is definitely not vulnerable, as grepping the source tree doesn't return anything for a search of 'no_filter'.

Try the following bookmarklet on wp-admin/post-new.php, it should work on WP 2.2.x

#7 @Otto42
9 years ago

  • Milestone 2.2.3 deleted
  • Resolution set to invalid
  • Status changed from new to closed

I just checked out a fresh copy of trunk from svn and the text "no_filter" does not appear anywhere in it whatsoever. grep -i -r no_filter * returned no results.

This has got to be a problem with a plugin or something. Even if no_filter is set and even if you have register_globals on to turn it into $no_filter, there's no check for $no_filter anywhere in the code.

Marked as invalid.

#8 @Otto42
9 years ago

  • Version 2.2.2 deleted

#9 @westi
9 years ago

  • Milestone set to 2.2.3
  • Resolution invalid deleted
  • Status changed from closed to reopened
  • Version set to 2.2.2

This is fixed on trunk.

But 2.2 has the no_filter code still it was removed for 2.3 in the changes for #4620 I think.

#10 @Otto42
9 years ago

Okay, I see the $no_filter in wp-includes/post.php, however I still fail to see how this would be expected to work. Nothing sets $no_filter anywhere. You might be able to set it if you had register_globals on (which no sane host has), however wp_unregister_GLOBALS() should unset $no_filter even in that case, when wp-settings.php gets included.

I see no possible way that this can actually work, even with 2.2.2. What am I missing here?

#11 @Otto42
9 years ago

Question to xknown (original submitter): Have you actually done this and made it work? Can you provide exact reproduction details? Or is this a purely theoretical thing you found while looking through the code?

Because I just tried it with a local install of 2.2.2 and was unable to reproduce it.

#12 @Otto42
9 years ago

Edit: AH HA! Okay, it only works when you use POST parameters. It will not work with GET parameters. register_globals is not required.

The problem is this line in admin-functions.php:
$post_ID = wp_insert_post( $_POST );

That's unsafe, you're passing $_POST directly to wp_insert_post, which then goes on to do an extract() on the variable, setting any local function variables you like.

The $_POST should be filtered for valid parameters in some fashion before passing it off to wp_insert_post().

#13 @ryan
9 years ago

xknown's patch looks like it will suffice for 2.2. 2.3 has already removed no_filter.

#14 @ryan
9 years ago

  • Resolution set to fixed
  • Status changed from reopened to closed

(In [6018]) Unset no_filter. Props xknown. fixes #4720

Note: See TracTickets for help on using tickets.