[wp-hackers] Plugin version number from WP.org sanitized?

Viper007Bond viper at viper007bond.com
Tue Dec 4 22:20:28 GMT 2007


Okay, I made a ticket and wrote a patch:
http://trac.wordpress.org/ticket/5422

On 12/4/07, Otto <otto at ottodestruct.com> wrote:
>
> Even if WP.org is safely doing the right thing, this is a security
> issue that needs to be fixed. It's unsanitized data from a third party
> site.
>
> Okay, so spoofing the DNS to redirect what "wordpress.org" means to
> the webserver would be a bit of a long way to go to hack a website,
> but it can still be done.
>
> -Otto
>
>
> On 12/3/07, Viper007Bond <viper at viper007bond.com> wrote:
> > I've been playing around with the plugin update checker (writing a new
> > plugin that uses the data) and noticed that the data retrieved from
> > WP.orgis displayed raw:
> >
> > printf( __('There is a new version of %s available. <a
> href="%s">Download
> > version %s here</a>.'), $plugin_data['Name'], $r->url, $r->new_version
> );
> >
> > Does this mean WP.org automatically htmlspecialchars() the version
> number
> > and such or was this overlooked?
> >
> > What if I commit a new version of my plugin and put this as the version
> > number: 1.2.3<script>alert('omfghax');</script>
> >
> > The same goes for plugin titles.
> >
> > Wondering both for my plugin's sake and for security's sake.
> >
> > --
> > Viper007Bond | http://www.viper007bond.com/
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>



-- 
Viper007Bond | http://www.viper007bond.com/


More information about the wp-hackers mailing list