WordPress.org

Make WordPress Core

Opened 5 years ago

Closed 5 years ago

#8291 closed defect (bug) (wontfix)

Missed int casting on wp-admin/users.php (harmless xss?)

Reported by: g30rg3x Owned by: ryan
Milestone: 2.0.12 Priority: normal
Severity: trivial Version:
Component: Security Keywords: has-patch commit dev-feedback
Focuses: Cc:

Description

Around Lines 126 to 151...

	if ( empty($_REQUEST['users']) )
		$userids = array(intval($_REQUEST['user']));
	else
		$userids = $_REQUEST['users'];
	...
	foreach ( (array) $userids as $id ) {
		$user = new WP_User($id);
		if ( $id == $current_user->ID ) {
			echo "<li>" . sprintf(__('ID #%1s: %2s <strong>The current user will not be deleted.</strong>'), $id, $user->user_login) . "</li>\n";
		} else {
			echo "<li><input type=\"hidden\" name=\"users[]\" value=\"{$id}\" />" . sprintf(__('ID #%1s: %2s'), $id, $user->user_login) . "</li>\n";
			$go_delete = true;
		}
	}


As we can see on the present code, $id came from either users or user http request variable, user is well casted to integer but users is not so it could lead to and a XSS attack.
However in order to work, the attacker needs at least to know a valid nonce, which is kinda hard so it turns to be a harmless (or poor) XSS.

Attachments (2)

users.php.diff (462 bytes) - added by g30rg3x 5 years ago.
For Trunk
legacy.users.php.diff (515 bytes) - added by g30rg3x 5 years ago.
For Legacy Brach (2.0)

Download all attachments as: .zip

Change History (8)

g30rg3x5 years ago

For Trunk

comment:1 ryan5 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [9814]) Cast to int. Props g30rg3x. fixes #8291

comment:2 ryan5 years ago

(In [9815]) Cast to int. Props g30rg3x. fixes #8291

comment:3 g30rg3x5 years ago

  • Keywords 2nd-opinion removed
  • Resolution fixed deleted
  • Severity changed from minor to trivial
  • Status changed from closed to reopened

Sorry for reopening the ticket...
But legacy branch (2.0) has the same defect.

comment:4 g30rg3x5 years ago

  • Milestone changed from 2.7 to 2.0.12
  • Version 2.7 deleted

Forget to change Milestone and version.

g30rg3x5 years ago

For Legacy Brach (2.0)

comment:5 DD325 years ago

  • Keywords commit dev-feedback added

Is this going to be applied to the legacy branch at all? commit or wontfix please :)

comment:6 Denis-de-Bernardy5 years ago

  • Resolution set to wontfix
  • Status changed from reopened to closed
Note: See TracTickets for help on using tickets.