Make WordPress Core

Opened 4 years ago

Closed 4 years ago

#50308 closed enhancement (invalid)

CSS Customizer control field - vulnerabilty against hacks prevention

Reported by: marcorinia's profile marcorinia Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Security Keywords:
Focuses: Cc:

Description

Enhancement WP Core idea:

In the standard WP - Customizer - CSS control field is possible to add custom: CSS, JavaScript and also PHP code. This feature is great but also dangerous for like database injection scripts for hacking sites.

Is it possible to make this CSS control field more secure to prevent executing of hack scripts at some way? Maybe with some regular expressions or with realtime validations code of the input before saving and updating the input code.

Attachments (1)

image_e04073ea-0775-493f-8914-06b53561a20320200603_092537.jpg (109.7 KB) - added by marcorinia 4 years ago.
screenshot script code add in CSS control

Download all attachments as: .zip

Change History (6)

@marcorinia
4 years ago

screenshot script code add in CSS control

#1 follow-up: @audrasjb
4 years ago

  • Focuses javascript css coding-standards removed
  • Keywords close added
  • Severity changed from major to normal

Hi @marcorinia and welcome to WordPress Trac,

Custom CSS inputs are already tested, you should not be able to use JS scripts in this field and PHP snippets aren’t executed.

Also, please note that security issues should be reported on WordPress security program, not on WordPress Trac (there was a message about that when you submitted your ticket).

#2 in reply to: ↑ 1 @marcorinia
4 years ago

Replying to audrasjb:

Hi @marcorinia and welcome to WordPress Trac,

Custom CSS inputs are already tested, you should not be able to use JS scripts in this field and PHP snippets aren’t executed.

Also, please note that security issues should be reported on WordPress security program, not on WordPress Trac (there was a message about that when you submitted your ticket).

Hi @audrasjb ,

Thank you for responding very fast and youre clear explaination.

I didn't understand where and how to submit a ticket at the WP security program. That's why i submitted it here. Sorry for that.

Greetings,

Marco

#3 follow-up: @marcorinia
4 years ago

Maybe has @ramonfincken some extra additions/improvements for more security to add to this security aspect about the CSS standard field in the Customizer?

Last edited 4 years ago by marcorinia (previous) (diff)

#4 in reply to: ↑ 3 @ramon fincken
4 years ago

Replying to marcorinia:

Maybe has @ramonfincken some extra additions/improvements for more security to add to this security aspect about the CSS standard field in the Customizer?

Not quite .. there is a capability named unfiltered_html https://wordpress.org/support/article/roles-and-capabilities/#unfiltered_html so in line of that you might want to give only (fully) admin role-level CSS and JS. All others get CSS only.

But.. that does NOT fix any DB injections that will take place with crappy plugins. You need some filtering. I am not aware of any 100% true positive regex filter to filter out any bad line of JS.

#5 @desrosj
4 years ago

  • Keywords close removed
  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from assigned to closed
  • Version 5.4.1 deleted

Hi @marcorinia,

Welcome to Trac!

Thanks for this ticket. I am not seeing any actionable items here. Without being able to identify a specific problem that we are trying to solve, it's not really feasible to explore changes to make. If there are specific attack vectors, then those should be detailed and disclosed responsibly to the security team.

As for the security policy, you can find a detailed breakdown of the project's security policy here: https://wordpress.org/about/security/. The best place to disclose security vulnerabilities is on the project's HackerOne: https://hackerone.com/wordpress

Note: See TracTickets for help on using tickets.