[wp-trac] [WordPress Trac] #10733: Eval()'ed string not escaped properly
WordPress Trac
wp-trac at lists.automattic.com
Sun Sep 6 10:35:48 UTC 2009
#10733: Eval()'ed string not escaped properly
--------------------------+-------------------------------------------------
Reporter: sirzooro | Owner: ryan
Type: defect (bug) | Status: new
Priority: high | Milestone: 2.8.5
Component: Security | Version: 2.8.4
Severity: major | Keywords: has-patch
--------------------------+-------------------------------------------------
There is a problem with permalinks, which is the root cause of last series
of attacks on WordPresses. URL rewrite engine does not escape dollar signs
in rules generated from permalink format, so it is possible to inject PHP
code using specially crafted permalink format. There are two places where
eval() is called: classes.php:219 and rewrite.php:302. These dollar signs
should be escaped during rule generation, in generate_rewrite_rules() -
attached patch does this.
You can also consider adding code to remove dollars from permalink format
if someone will enter it on options screen (when options are saved), or
even better to validate if all %something% tags consists of letters,
numbers and underscores only (and maybe dashes too).
--
Ticket URL: <http://core.trac.wordpress.org/ticket/10733>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list