#8291 closed defect (bug) (wontfix)
Missed int casting on wp-admin/users.php (harmless xss?)
Reported by: | g30rg3x | Owned by: | ryan |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | trivial | Version: | |
Component: | Security | Keywords: | has-patch commit dev-feedback |
Focuses: | Cc: |
Description
Around Lines 126 to 151...
if ( empty($_REQUEST['users']) ) $userids = array(intval($_REQUEST['user'])); else $userids = $_REQUEST['users']; ... foreach ( (array) $userids as $id ) { $user = new WP_User($id); if ( $id == $current_user->ID ) { echo "<li>" . sprintf(__('ID #%1s: %2s <strong>The current user will not be deleted.</strong>'), $id, $user->user_login) . "</li>\n"; } else { echo "<li><input type=\"hidden\" name=\"users[]\" value=\"{$id}\" />" . sprintf(__('ID #%1s: %2s'), $id, $user->user_login) . "</li>\n"; $go_delete = true; } }
As we can see on the present code, $id came from either users or user http request variable, user is well casted to integer but users is not so it could lead to and a XSS attack.
However in order to work, the attacker needs at least to know a valid nonce, which is kinda hard so it turns to be a harmless (or poor) XSS.
Attachments (2)
Change History (9)
#3
@
16 years ago
- Keywords 2nd-opinion removed
- Resolution fixed deleted
- Severity changed from minor to trivial
- Status changed from closed to reopened
Sorry for reopening the ticket...
But legacy branch (2.0) has the same defect.
#4
@
16 years ago
- Milestone changed from 2.7 to 2.0.12
- Version 2.7 deleted
Forget to change Milestone and version.
#5
@
16 years ago
- Keywords commit dev-feedback added
Is this going to be applied to the legacy branch at all? commit or wontfix please :)
Note: See
TracTickets for help on using
tickets.
For Trunk