Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potential XSS issue with add_query_arg() and remove_query_arg() #39

Closed
quassy opened this issue Apr 24, 2015 · 5 comments
Closed

Potential XSS issue with add_query_arg() and remove_query_arg() #39

quassy opened this issue Apr 24, 2015 · 5 comments

Comments

@quassy
Copy link
Contributor

quassy commented Apr 24, 2015

As you may know quite recently there was news that WordPress plugins could suffer from a XSS vulnerability if they use add_query_arg() and remove_query_arg() without properly sanitizing the data. When the optional third parameter of these functions is omitted, $_SERVER['REQUEST_URI'] is used unescaped, more info here.

Checking your source it seems the functions are used in the following lines of feedwordpress.php:

I am not actually sure if FeedWordPress is vulnerable but I think it should be looked at and esc_url() or esc_raw_url() be added.
@talgalili
Copy link
Contributor

Hi Quassy,
Do you know if WP 4.1.3 is immune to this issue?

@quassy
Copy link
Contributor Author

quassy commented Apr 24, 2015

I don't think so. As I understand it the two functions were never meant to escape their inputs / outputs. It was a bug in the documentation which led plugin developers to falsely assume it does and resulted in implementing this security hole unknowningly.

Background: Due to a now-fixed ambiguity in the documentation for the add_query_arg() and remove_query_arg() functions, many plugins were using them incorrectly, allowing for potential XSS attack vectors in their code.

Release notes / blog posts of 4.2 and 4.1.3 don't mention that the issue was fixed, while 4.1.2 mentions it and calls on developers to fix their plugins.

@talgalili
Copy link
Contributor

VERY risky stuff.
Since radgeek does not update the plugin often, any chance you'd know how to fix this?

@quassy
Copy link
Contributor Author

quassy commented Apr 24, 2015

I am by no means a WordPress or plugin developer, so take this with two spoons of salt and pepper!... I don't actually know what's happening with $sendback at line 1287. I have the feeling the variable is only declared to never be used again, so what's the point? Still I would change the line to

$sendback = esc_url( remove_query_arg( array('trashed', 'untrashed', 'deleted', 'zapped', 'unzapped', 'ids'), $sendback ) );

1327:

wp_redirect( esc_url_raw( add_query_arg( array('zapped' => 1, 'ids' => $post_id), $sendback ) ) );

1339:

wp_redirect( esc_url_raw( add_query_arg( array('unzapped' => 1, 'ids' => $post_id), $sendback ) ) );

So basically adding ´esc_url()´ every time the URL might be printed somewhere and adding ´esc_url_raw()´ every time the URL is used for a header.

@talgalili
Copy link
Contributor

Well, let's hope someone who knows more then both of us will give this a look :)

Thank you very much for the report! 👍

radgeek added a commit that referenced this issue Apr 26, 2015
@radgeek
Merge pull request #40 from quassy/patch-1
acd9749 
This should fix #39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@quassy @talgalili