[wp-hackers] Plugin version number from WP.org sanitized?

Otto otto at ottodestruct.com
Tue Dec 4 21:55:16 GMT 2007


Even if WP.org is safely doing the right thing, this is a security
issue that needs to be fixed. It's unsanitized data from a third party
site.

Okay, so spoofing the DNS to redirect what "wordpress.org" means to
the webserver would be a bit of a long way to go to hack a website,
but it can still be done.

-Otto


On 12/3/07, Viper007Bond <viper at viper007bond.com> wrote:
> I've been playing around with the plugin update checker (writing a new
> plugin that uses the data) and noticed that the data retrieved from
> WP.orgis displayed raw:
>
> printf( __('There is a new version of %s available. <a href="%s">Download
> version %s here</a>.'), $plugin_data['Name'], $r->url, $r->new_version );
>
> Does this mean WP.org automatically htmlspecialchars() the version number
> and such or was this overlooked?
>
> What if I commit a new version of my plugin and put this as the version
> number: 1.2.3<script>alert('omfghax');</script>
>
> The same goes for plugin titles.
>
> Wondering both for my plugin's sake and for security's sake.
>
> --
> Viper007Bond | http://www.viper007bond.com/
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


More information about the wp-hackers mailing list