Comments on: Inspector WordPress Plugin Review http://blogsecurity.net/wordpress/inspector-wordpress-plugin-review Always something worth reading... Fri, 12 Mar 2010 11:09:45 +0000 http://wordpress.org/?v= hourly 1 By: The Doctor What http://blogsecurity.net/wordpress/inspector-wordpress-plugin-review/comment-page-1#comment-1838 The Doctor What Tue, 09 Oct 2007 20:27:24 +0000 http://blogsecurity.net/wordpress/inspector-wordpress-plugin-review/#comment-1838 I understand the vector now. But the problem isn't putting unchecked content into the file, per se. There is nothing you can put into conditions.txt that would break a text-editor or text-viewer. However, if conditions.txt is shown again at a latter point via a web page, then it should be escaped prior to showing. Of course, there are other attacks, such as a disk-space DoS (large conditions will fill the disk up). Etc. As I said, I haven't been able to get to the site. Ciao! I understand the vector now.

But the problem isn’t putting unchecked content into the file, per se. There is nothing you can put into conditions.txt that would break a text-editor or text-viewer.

However, if conditions.txt is shown again at a latter point via a web page, then it should be escaped prior to showing.

Of course, there are other attacks, such as a disk-space DoS (large conditions will fill the disk up). Etc.

As I said, I haven’t been able to get to the site.

Ciao!

]]> By: DK http://blogsecurity.net/wordpress/inspector-wordpress-plugin-review/comment-page-1#comment-1833 DK Tue, 09 Oct 2007 19:43:25 +0000 http://blogsecurity.net/wordpress/inspector-wordpress-plugin-review/#comment-1833 Doc, using htmlspecialchars() to sanitise the data before putting it into the log file would prevent this problem. Doc, using htmlspecialchars() to sanitise the data before putting it into the log file would prevent this problem.

]]> By: The Doctor What http://blogsecurity.net/wordpress/inspector-wordpress-plugin-review/comment-page-1#comment-1822 The Doctor What Tue, 09 Oct 2007 15:51:29 +0000 http://blogsecurity.net/wordpress/inspector-wordpress-plugin-review/#comment-1822 DK: But surely the problem is that it's displaying an untrusted file? Displaying any kind of log file is displaying untrusted content. FYI: I'd read the code, but the site seems gone or something. Ciao! DK:

But surely the problem is that it’s displaying an untrusted file? Displaying any kind of log file is displaying untrusted content.

FYI: I’d read the code, but the site seems gone or something.

Ciao!

]]> By: DK http://blogsecurity.net/wordpress/inspector-wordpress-plugin-review/comment-page-1#comment-1803 DK Tue, 09 Oct 2007 07:23:31 +0000 http://blogsecurity.net/wordpress/inspector-wordpress-plugin-review/#comment-1803 Doc, read this: http://blogsecurity.net/wordpress/articles/article-280507/ Because the rules are fetched from the text file and displayed to the user, it is possible to inject malicious HTML (due to CSRF vulnerability) that will then be executed everytime the admin opens that page. If conditions.txt was conditions.php, it would even be possible to execute malicious queries on the web server. Doc, if you still don't follow drop me an email via the BlogSecurity contact form and I'll explain it further. Doc, read this: http://blogsecurity.net/wordpress/articles/article-280507/

Because the rules are fetched from the text file and displayed to the user, it is possible to inject malicious HTML (due to CSRF vulnerability) that will then be executed everytime the admin opens that page.

If conditions.txt was conditions.php, it would even be possible to execute malicious queries on the web server.

Doc, if you still don’t follow drop me an email via the BlogSecurity contact form and I’ll explain it further.

]]> By: The Doctor What http://blogsecurity.net/wordpress/inspector-wordpress-plugin-review/comment-page-1#comment-1789 The Doctor What Tue, 09 Oct 2007 02:04:41 +0000 http://blogsecurity.net/wordpress/inspector-wordpress-plugin-review/#comment-1789 Yes. I see that. But why is it a problem? It goes straight into a file. Is file_put_contents() susceptable to an attack through it's data? Ciao! Yes. I see that. But why is it a problem? It goes straight into a file. Is file_put_contents() susceptable to an attack through it’s data?

Ciao!

]]> By: DK http://blogsecurity.net/wordpress/inspector-wordpress-plugin-review/comment-page-1#comment-1766 DK Mon, 08 Oct 2007 20:08:16 +0000 http://blogsecurity.net/wordpress/inspector-wordpress-plugin-review/#comment-1766 There is no sanitisation of $_POST["conditions"];". There is no sanitisation of $_POST["conditions"];".

]]> By: The Doctor What http://blogsecurity.net/wordpress/inspector-wordpress-plugin-review/comment-page-1#comment-1752 The Doctor What Mon, 08 Oct 2007 16:31:29 +0000 http://blogsecurity.net/wordpress/inspector-wordpress-plugin-review/#comment-1752 Can you explain how that code example is a problem? Can you explain how that code example is a problem?

]]>