Closed Bug 840940 Opened 11 years ago Closed 11 years ago

Code Execution in editorial calendar wordpress plugin

Categories

(Developer Engagement :: Mozilla Hacks, task)

Product:
Developer Engagement
Component:
Mozilla Hacks
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: freddy, Assigned: zack)

References

Details

(Keywords: sec-high, wsec-injection, Whiteboard: [site:hacks.mozilla.org]) 

Possible code-execution in functions that create new posts/drafts:
`edcal_newdraft()`, `edcal_savepost()`, `edcal_changetitle()`

According to Wordpress docs, post title may contain php tags.

This will ultimately lead to the execution or arbitrary code, i.e., elevating
the privileges from a post editor to that of an administrator.
Docs suggest escaping with `wp_strip_all_tags()` for 
"post_title and any other fields".
See: http://codex.wordpress.org/Function_Reference/wp_insert_post#Security

(NB: This might also code Cross-Site Scripting vulnerabilities in the
 plugin itself, if not also in the public blog interface)
I've changed the calendar to filter all tags out of post titles.  You can see the change here:

http://plugins.trac.wordpress.org/changeset?reponame=&new=667396%40editorial-calendar&old=656348%40editorial-calendar

This will be part of our next release.  

I did not make the change to strip all tags out of the post body since WordPress allows tags in the post body from authors during the normal post editing screens.
Looks good!
Assignee: nobody → zack
Fixed :)
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Component: hacks.mozilla.org → Mozilla Hacks
Product: Websites → Mozilla Developer Network
For bugs that are resolved, we remove the security flag. These haven't had their flag removed, so I'm removing it now.
Group: websites-security
Product: Mozilla Developer Network → Developer Engagement
You need to log in before you can comment on or make changes to this bug.