• Resolved aswinnair

    (@aswinnair)


    Our site security scan found vulnerability with this plugin code. One part of the code is below. Can somebody help how to remove this error?

    Method redirect_to_mapped_domain at line 707 of GetUser.jsp gets user input for the _SERVER
    element. This element’s value then flows through the code without being properly sanitized or
    validated and is eventually displayed to the user in method DisplayDetails() at line 73 of
    ShowScreen.jsp. This may enable a Cross-Site-Scripting attack.

    ….
    707. $_SERVER[ ‘REQUEST_URI’ ] = str_replace( $current_blog->path, ‘/’,
    $_SERVER[ ‘REQUEST_URI’ ] );
    ….
    709. header( “Location: {$url}{$_SERVER[ ‘REQUEST_URI’ ]}”, true,
    $redirect );

    https://www.ads-software.com/plugins/wordpress-mu-domain-mapping/

Viewing 8 replies - 1 through 8 (of 8 total)
  • deltafactory

    (@deltafactory)

    I can’t tell if this is spam.

    To the author: The function you reference is part of a PHP codebase but the pages and functions you reference would seem to be written JSP, or at very least in other code that uses InitCaps() instead of underscore_names() for function names.

    The value you reference is the URI requested by the user. Can you provide an example of an XSS attack, especially one that would affect a third party?

    Thread Starter aswinnair

    (@aswinnair)

    Our scanning tool generated those .js files, but the vulnerability still exists. See another part of the code that needs fix. ANy help?

    ….
    136. $domain = strtolower( $_POST[ ‘domain’ ] );
    ….
    155. $wpdb->query( $wpdb->prepare( “UPDATE {$wpdb->dmtable} SET blog_id
    = %d, domain = %s, active = %d WHERE domain = %s”, $_POST[ ‘blog_id’ ],
    $domain, $_POST[ ‘active’ ], $_POST[ ‘orig_domain’ ] ) );

    deltafactory

    (@deltafactory)

    The line numbers don’t match the latest build that I’m using but the $wpdb->prepare() method in line 155 does the escaping.

    See here: https://codex.www.ads-software.com/Class_Reference/wpdb#Protect_Queries_Against_SQL_Injection_Attacks

    Thread Starter aswinnair

    (@aswinnair)

    Let me check. Can you tell me how to protect the $_SERVER[ ‘REQUEST_URI’ ] value from getting attacked? THANKS A LOT

    header( “Location: {$url}{$_SERVER[ ‘REQUEST_URI’ ]}”, true,
    $redirect );

    deltafactory

    (@deltafactory)

    Can you explain how this might be used in an attack? The result is sending a redirect response to the requester.

    If an “attacker” had control over the URL being chosen then they could just as easily have specified the final URL that this method would return.

    Simply because user input isn’t run through an escaping function doesn’t make it vulnerable. It’s good that you’re checking for these things but it would be helpful to provide a viable scenario.

    Thread Starter aswinnair

    (@aswinnair)

    Ok. I have downloaded the latest version and the scanner didn’t report any issues. Thanks for all ur help. Really appreciate it.

    deltafactory

    (@deltafactory)

    You’re welcome! Thanks for checking and sorry for thinking you were spam. ??

    Please mark as resolved if appropriate, thanks!

    Thread Starter aswinnair

    (@aswinnair)

    thanks..

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘wordpress-mu-domain-mapping – Security issue’ is closed to new replies.