[wp-trac] [WordPress Trac] #8291: Missed int casting on
wp-admin/users.php (harmless xss?)
WordPress Trac
wp-trac at lists.automattic.com
Thu Nov 20 09:02:56 GMT 2008
#8291: Missed int casting on wp-admin/users.php (harmless xss?)
----------------------+-----------------------------------------------------
Reporter: g30rg3x | Owner: ryan
Type: defect | Status: new
Priority: normal | Milestone: 2.7
Component: Security | Version: 2.7
Severity: minor | Keywords: has-patch, 2nd-opinion
----------------------+-----------------------------------------------------
Around Lines 126 to 151...[[BR]]
{{{
if ( empty($_REQUEST['users']) )
$userids = array(intval($_REQUEST['user']));
else
$userids = $_REQUEST['users'];
...
foreach ( (array) $userids as $id ) {
$user = new WP_User($id);
if ( $id == $current_user->ID ) {
echo "<li>" . sprintf(__('ID #%1s: %2s <strong>The
current user will not be deleted.</strong>'), $id, $user->user_login) .
"</li>\n";
} else {
echo "<li><input type=\"hidden\" name=\"users[]\"
value=\"{$id}\" />" . sprintf(__('ID #%1s: %2s'), $id, $user->user_login)
. "</li>\n";
$go_delete = true;
}
}
}}}
[[BR]]
As we can see on the present code, $id came from either users or user http
request variable, user is well casted to integer but users is not so it
could lead to and a XSS attack.[[BR]]
However in order to work, the attacker needs at least to know a valid
nonce, which is kinda hard so it turns to be a harmless (or poor)
XSS.[[BR]]
--
Ticket URL: <http://trac.wordpress.org/ticket/8291>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list