Mr Green movie,PHLBOSS link.Recharge Every day and Get Bonus up-to 50%!

_ck_
(@_ck_)

11 years, 6 months ago

Note there is a security hole in this plugin where if a user is allowed to map their own domains via the wp-admin tools interface, they can just enter a subdomain of the current wordpress network and take it over.

So for example if www.ads-software.com was running mu and this plugin and you were at blah.www.ads-software.com and the admin menu was active, they can map news.www.ads-software.com over their blog

There needs to be a security check that that the domain they entered is not a subdomain of the current network, even if it is not active.

https://www.ads-software.com/plugins/wordpress-mu-domain-mapping/

Viewing 5 replies - 1 through 5 (of 5 total)

Plugin Author Ron Rennick
(@wpmuguru)

11 years, 6 months ago

While it is fair enough that It allows them to direct the subdomain URL to their own site, it is not a security issue.

Doing that does not give them access to any data or admin screens that they did not already have access to.
Thread Starter _ck_
(@_ck_)

11 years, 6 months ago
It’s a security issue if users can control how your site behaves.

The entire sanitation check is highly dubious in this plugin and not robust enough.
```
$domain = $wpdb->escape( $_POST[ 'domain' ] );
                if ( $domain == '' ) {
                        wp_die( "You must enter a domain" );
                }
```
```
if( null == $wpdb->get_row( "SELECT blog_id FROM {$wpdb->blogs} WHERE domain = ...
&& null == $wpdb->get_row( "SELECT blog_id FROM {$wpdb->dmtable} WHERE domain = ...'
```
So a user can enter high ascii characters, unicode, leading dots, trailing dots, ip addresses, “localhost” and a whole bunch of other questionable entries that may cause undesired behavior.

It would probably be a good idea to test if the domain entered

1. is not an ip
2. is dotted (not dotless or localhost)
3. doesn’t contain the domain of the multisite home network
4. actually has an rdns A record or CNAME
5. that rdns resolves to the current network ip
Plugin Author Ron Rennick
(@wpmuguru)

11 years, 6 months ago

So a user can enter high ascii characters, unicode, leading dots, trailing dots, ip addresses, “localhost” and a whole bunch of other questionable entries that may cause undesired behavior.

Agreed – however that does not make it a security issue.

TCBarrett
(@tcbarrett)

11 years, 6 months ago

How about adding some filters so that _ck_ can add those checks they so chose?

SysFailure0x5a
(@sysfailure0x5a)

11 years, 5 months ago

This is absolutely a security issue. Let us consider this scenario. Site-A gets 50,000 unique hits a day. User-B makes Site-B and maps Site-A’s domain and then plasters spam, porn, and affiliate crap everywhere. Site-A’s domain name has been compromised in this scenario. Let’s also imagine you fix that one scenario. User-B maps a subdomain of Site-A on his blog and now has https://free.Site-A.com pointing to his blog. In both cases Site-A’s domain name has been compromised by an unauthorized user.

If you think one user jacking another users domain name is not a security issue, I think you need to think again.

This plugin desperately needs the following:

1.) Check to see if domain is mapped elsewhere.
2.) Have a back end option checkbox that allows super admins to approve domain mappings that are submitted by a user.
3.) A checkbox in the back end that allows or disallows users to map SUBDOMAINS of an already mapped domain. I.E if UserA only has https://SiteA.com mapped then UserB cannot map https://www.SiteA.com

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘security issue with allowing users to map their own domains’ is closed to new replies.