Those who are WordPress admins should already know it: WordPress plugin quality often is quite worrisome. The latest smoking gun is WP Ajax Edit Comments. Normally I do not disclose security issues but this one is so obvious it freaks me out. Just to make clear: You do not have to be a seasoned programmer or admin to find bugs like this one. I did not check the whole potential of this vulnerability, maybe it also lets one inject SQL commands — I don’t know.
Let’s have a look. In file “comment-editor.php” (and in “move-comment.php” and “request-deletion.php” BTW) there’s this line:
“`php
$commentAction = $_GET[‘action’];
“`
Yellow alert. But let’s look further before drawing a conclusion yet. $commentAction does not get touched anymore until this line occurs:
“`php
<input type=”hidden” id=”action” value=”<?php echo $commentAction;?>” />
“`
RED ALERT. This is a beginners mistake. The leak ist existing at least since version 2.2.6.0 while the current version (as of this writing) is 2.4.0.1 which also is vulnerable. It has been around for at least one year without someone noticing or fixing it despite being so obvious. According to WordPress plugin database it has been downloaded over 140,000 times so there may be tens of thousands of vulnerable WordPress installations.
Attackers could inject arbitrary HTML, like “THIS SHOULD NOT BE POSSIBLE”. Of course, criminals could create malicious pages this way and host them on remote WordPress sites.
How to fix it quick!
Replace this line
“`php
$commentAction = $_GET[‘action’];
“`
with these lines:
“`php
$commentAction = $_GET[‘action’];
$commentAction = addslashes(preg_replace(“/[^a-z0-9]/i”, ”, strip_tags($commentAction)));
“`
It’s a quick and dirty fix. But it gets the job done. An even better approach would be to reject “action” parameter values with other characters than a-z.
The author of WP Ajax Edit Comments has been notified.
UPDATE: There is a new version that seems to be fixed.
Leave a Reply
You must be logged in to post a comment.