Context Navigation

← Previous Ticket
Next Ticket →

#63065 new defect (bug)

Reject nonce if presented as array

Reported by:	leedxw	Owned by:
Milestone:	Awaiting Review	Priority:	normal
Severity:	normal	Version:	6.7.2
Component:	General	Keywords:	has-patch
Focuses:		Cc:

Description

An attacker against /wp-comments-post.php is causing the following warning (suggesting the nonce is not checked to be a string).

PHP Warning:  Array to string conversion in /var/www/html/wp-includes/pluggable.php on line 2355

I was able to reproduce this by switching akismet_comment_nonce to be an array (on a site with akismet installed)

curl \
 -F author=test -F email=test@example.com \
 -F comment=test \
 -F comment_parent=0 -F comment_post_ID=1 \
 -F akismet_comment_nonce[1]=123 -F ak_js_1=123 \
 http://localhost/wp-comments-post.php

Suggested fix is for wp_verify_nonce() to return false if nonce is an array before any string functions are applied.

Attachments (1)

nonce_array.patch (493 bytes) - added by leedxw 7 weeks ago.: Change wp_verify_nonce() to reject arrays

Download all attachments as: .zip

Change History (1)

@leedxw
7 weeks ago

Attachment nonce_array.patch added

Change wp_verify_nonce() to reject arrays

Note: See TracTickets for help on using tickets.

Trac UI Preferences

Download in other formats:

Make WordPress Core