Closed
Bug 840940
Opened 11 years ago
Closed 11 years ago
Code Execution in editorial calendar wordpress plugin
Categories
(Developer Engagement :: Mozilla Hacks, task)
Developer Engagement
Mozilla Hacks
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: freddy, Assigned: zack)
References
Details
(Keywords: sec-high, wsec-injection, Whiteboard: [site:hacks.mozilla.org])
Possible code-execution in functions that create new posts/drafts: `edcal_newdraft()`, `edcal_savepost()`, `edcal_changetitle()` According to Wordpress docs, post title may contain php tags. This will ultimately lead to the execution or arbitrary code, i.e., elevating the privileges from a post editor to that of an administrator. Docs suggest escaping with `wp_strip_all_tags()` for "post_title and any other fields". See: http://codex.wordpress.org/Function_Reference/wp_insert_post#Security (NB: This might also code Cross-Site Scripting vulnerabilities in the plugin itself, if not also in the public blog interface)
Assignee | ||
Comment 1•11 years ago
|
||
I've changed the calendar to filter all tags out of post titles. You can see the change here: http://plugins.trac.wordpress.org/changeset?reponame=&new=667396%40editorial-calendar&old=656348%40editorial-calendar This will be part of our next release. I did not make the change to strip all tags out of the post body since WordPress allows tags in the post body from authors during the normal post editing screens.
Reporter | ||
Comment 2•11 years ago
|
||
Looks good!
Reporter | ||
Updated•11 years ago
|
Assignee: nobody → zack
Reporter | ||
Comment 3•11 years ago
|
||
Fixed :)
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Updated•11 years ago
|
Component: hacks.mozilla.org → Mozilla Hacks
Product: Websites → Mozilla Developer Network
Comment 4•8 years ago
|
||
For bugs that are resolved, we remove the security flag. These haven't had their flag removed, so I'm removing it now.
Group: websites-security
Updated•7 years ago
|
Product: Mozilla Developer Network → Developer Engagement
You need to log in
before you can comment on or make changes to this bug.
Description
•