Page MenuHomePhabricator

XSS in wp-world
Closed, ResolvedPublic

Event Timeline

Reedy created this task.Nov 11 2019, 5:53 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 11 2019, 5:53 PM
Reedy updated the task description. (Show Details)
Reedy added a subscriber: Kolossos.
sbassett triaged this task as High priority.Nov 20 2019, 8:02 PM
sbassett added a project: Security-Team.
sbassett moved this task from Incoming to Watching on the Security-Team board.
sbassett added a subscriber: sbassett.

Poke Poke.

We will have to take this tool offline unless this is addressed. This is not something we want to do, this is something we will need to do. Please respond ASAP. Security-Team will consider the maintainers here unresponsive if another week passes.

I turn off the script. So I think the issue can be closed.

It seems pg_escape_string() was not enough.

sbassett closed this task as Resolved.EditedNov 21 2019, 9:56 PM
sbassett claimed this task.
sbassett moved this task from Watching to Our Part Is Done on the Security-Team board.

@Kolossos - Thanks. A more long-term fix for this might be to set display_errors to false, which should hide any errors which may unintentionally render XSS payloads like this. It's also just a good best practice for any public-facing application or service, though I'm not certain how feasible this is within the Tools environment.

sbassett added a comment.EditedNov 21 2019, 9:58 PM

n.b. we should probably contact the researcher as well so they can update the issue on openbugbounty.org as being resolved.

(Update: researcher emailed on 2019-11-26 with request to resolve OBB bug.)

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Nov 21 2019, 9:58 PM
sbassett reassigned this task from sbassett to Kolossos.Nov 21 2019, 10:28 PM

@sbassett Question for the future, is htmlentities() for all input-parameters the right way to go?

@Kolossos - in most cases where general html sanitization is required, I'd probably recommend PHP's htmlspecialchars() function. Per php.net's documentation, it will convert a smaller set of characters to their html entities as opposed to htmlentities() which will convert a lot more, possibly unnecessarily. The one tricky thing with both htmlspecialchars() and htmlentities() is to make sure you understand the appropriate sanitization contexts. For example, if you were sanitizing html attributes, you'd want to use the ENT_QUOTES option (see flags).