#59795 closed defect (bug) (fixed)
Private Information Exposure via redirect_guess_404_permalink()
Reported by: |
|
Owned by: |
|
---|---|---|---|
Milestone: | 6.5 | Priority: | normal |
Severity: | minor | Version: | |
Component: | Canonical | Keywords: | has-patch has-unit-tests |
Focuses: | privacy | Cc: |
Description
When guessing the proper URL to redirect a 404, WordPress only considers the post statuses and not the proper post type privacy settings, leading to potential information disclosure. More specifically, this happens when a post type is set to public => true but publicly_queryable => false, which is supposed to be private.
### Steps to replicate
- register a custom post type with the following settings
- public => true
- publicly_queryable => false
- create an entry in the new custom post type, for example I used as title "info@…"
- access a 404 page similar to content, eg. example.com/info and in the redirect it will disclose the private slug
_
Note: the ticket has been discussed with the Security team and there is already a patch available, planned to be released.
Attachments (1)
Change History (17)
#1
@
15 months ago
- Component changed from General to Canonical
- Milestone changed from Awaiting Review to 6.5
- Owner set to peterwilsoncc
- Status changed from new to assigned
This ticket was mentioned in PR #5673 on WordPress/wordpress-develop by @rajinsharwar.
15 months ago
#3
- Keywords has-patch has-unit-tests added
Adding the proper SQL code using wpdb:prepare, and unit tests.
Trac ticket: https://core.trac.wordpress.org/ticket/59795
#4
@
15 months ago
Hi @peterwilsoncc, I tried to test your patch, but it seems that in MySQL 8.0.16, the following error shows up on the 404 page: https://prnt.sc/UM-8i_df528e
So, I sent a new patch with the unit tests.
This ticket was mentioned in PR #5867 on WordPress/wordpress-develop by @peterwilsoncc.
13 months ago
#5
Trac ticket: https://core.trac.wordpress.org/ticket/59795
#6
follow-ups:
↓ 8
↓ 9
@
13 months ago
I've revised my original patch in the linked pull request
- Redirects are limited to publicly queryable and searchable post types
- Unlike my original patch the post type
WHERE
clause is modified in theget_query_var( 'post_type' )
block to avoid SQL errors - Added a unit test for a post type registered with
['public'=>true,'publicly_queryable'=>false]
Testing notes:
- Add this mini-plugin to
wp-content/mu-plugins
- Go to the WordPress Dashboard > Private Posts > Add new Post
- Publish a post with the title "59795 Private Post"
- In a private/incognito browser window, visit
http://localhost/59795
(replacinglocalhost
as appropriate for your test environment) - On this branch you should see a 404 error, on trunk you should be redirected to
http://localhost/pwcc_private_post/59795-private-post/
@FrancescoCarlucci If you have bandwidth, are you able to assist by testing the pull request? A copy of WordPress built from the PR can be found by visiting the PR's checks tab, clicking on "Test Build Processes" in the navigation and downloading the wordpress-build-???
artifact.
@peterwilsoncc commented on PR #5673:
13 months ago
#7
@Rajinsharwar I've created a follow up PR https://github.com/WordPress/wordpress-develop/pull/5867 which incorporates your fix to my original, flawed, patch.
Rather than modify assertCanonical, it uses a different test to ensure that private posts are not redirected to.
#8
in reply to:
↑ 6
@
13 months ago
Sure, I'll give it a try in the next few days!
Thank you!
Replying to peterwilsoncc:
I've revised my original patch in the linked pull request
- Redirects are limited to publicly queryable and searchable post types
- Unlike my original patch the post type
WHERE
clause is modified in theget_query_var( 'post_type' )
block to avoid SQL errors- Added a unit test for a post type registered with
['public'=>true,'publicly_queryable'=>false]
Testing notes:
- Add this mini-plugin to
wp-content/mu-plugins
- Go to the WordPress Dashboard > Private Posts > Add new Post
- Publish a post with the title "59795 Private Post"
- In a private/incognito browser window, visit
http://localhost/59795
(replacinglocalhost
as appropriate for your test environment)- On this branch you should see a 404 error, on trunk you should be redirected to
http://localhost/pwcc_private_post/59795-private-post/
@FrancescoCarlucci If you have bandwidth, are you able to assist by testing the pull request? A copy of WordPress built from the PR can be found by visiting the PR's checks tab, clicking on "Test Build Processes" in the navigation and downloading the
wordpress-build-???
artifact.
#9
in reply to:
↑ 6
@
13 months ago
@peterwilsoncc Tested, it works well on my side :)
Replying to peterwilsoncc:
I've revised my original patch in the linked pull request
- Redirects are limited to publicly queryable and searchable post types
- Unlike my original patch the post type
WHERE
clause is modified in theget_query_var( 'post_type' )
block to avoid SQL errors- Added a unit test for a post type registered with
['public'=>true,'publicly_queryable'=>false]
Testing notes:
- Add this mini-plugin to
wp-content/mu-plugins
- Go to the WordPress Dashboard > Private Posts > Add new Post
- Publish a post with the title "59795 Private Post"
- In a private/incognito browser window, visit
http://localhost/59795
(replacinglocalhost
as appropriate for your test environment)- On this branch you should see a 404 error, on trunk you should be redirected to
http://localhost/pwcc_private_post/59795-private-post/
@FrancescoCarlucci If you have bandwidth, are you able to assist by testing the pull request? A copy of WordPress built from the PR can be found by visiting the PR's checks tab, clicking on "Test Build Processes" in the navigation and downloading the
wordpress-build-???
artifact.
francescocarlucci commented on PR #5867:
13 months ago
#10
Tested, it works on my side!
@peterwilsoncc commented on PR #5867:
12 months ago
#12
@peterwilsoncc commented on PR #5673:
12 months ago
#13
Follow up PR merged in merged r57645 / https://github.com/WordPress/wordpress-develop/commit/96de28cc29774aeb4577b0d314e6b1724c1804ae
This ticket was mentioned in Slack in #core-test by oglekler. View the logs.
11 months ago
#15
@
10 months ago
Hi,
I'm sorry in advance because I'm not sure that's the right way to ask this question…
Why hasn't this ticket been patched for all major WordPress versions?
To this day, this problem is referenced as a security vulnerability (as you can see here: https://patchstack.com/database/vulnerability/wordpress/wordpress-wordpress-core-plugin-6-4-3-sensitive-information-exposure-via-redirect-guess-404-permalink-vulnerability?_a_id=431) and therefore generates alerts (as with Solid Security, for example) until websites are in version 6.5.
I thought WordPress didn't require major updates to get security patches, so I'm surprised.
Thanks
#16
@
10 months ago
This ticket was closed on a completed milestone.
If you have a bug or enhancement to report, please open a new ticket. Be sure to mention this ticket, #59795.
You can't expect support for older versions, see https://wordpress.org/documentation/article/supported-versions/
WordPress may fix older versions as it's technically possible. A new ticket is needed, as per above.
I've put this on the 6.5 milestone to include it in the next release.
59795.diff modifies the SQL query for recovering from 404 errors. I'll convert it to a pull request to include tests and any tidy-up that is required. I don't expect I'll get to this prior to the 6.4 release.
Thanks for the report @FrancescoCarlucci and getting in touch with the team prior to posting publicly.