Skip to content
This repository has been archived by the owner on Apr 22, 2021. It is now read-only.

XSS vulnerability being exploited in the wild #71

Closed
Xavier59 opened this issue Jan 24, 2020 · 2 comments
Closed

XSS vulnerability being exploited in the wild #71

Xavier59 opened this issue Jan 24, 2020 · 2 comments
Labels

Comments

@Xavier59
Copy link

Describe the bug
An XSS vulnerability targeting the plugin multiple domain and is being actually exploited in the wild

Faulty lines :

private function outputHrefLangTag($url, $lang = 'x-default')
{
$lang = str_replace('_', '-', $lang);
printf('<link rel="alternate" href="%s" hreflang="%s" />', $url, $lang);
}

private function outputCanonicalTag($url)
{
printf('<link rel="canonical" href="%s" />', $url);
}

$url should be encoded using htmlentities(urlencode($url))

To Reproduce
Steps to reproduce the behavior:

  1. Go to www.yourwordpresswebsite.com/;>"'><script>alert(1)</script>&type=
  2. This should trigger the XSS and print an alert. (make sure to use Firefox because Chrome/Safari have some inboard XSS protection)

Expected behavior
Output should be encoded to prevent xss

@straube
Copy link
Owner

straube commented Jan 24, 2020

Hey @Xavier59, thank you for reporting that. I'll fix it ASAP. Also, feel free if you want to submit a PR right away.

@straube
Copy link
Owner

straube commented Jan 25, 2020

@Xavier59 I tried to add the solution you suggested but it doesn't work the way it's supposed.

For instance, after changing the outputCanonicalTag this way:

private function outputCanonicalTag($url)
{
    $url = htmlentities(urlencode($url));
    printf('<link rel="canonical" href="%s" />', $url);
}

I got the following canonical tag in my front-end:

<link rel="canonical" href="http%3A%2F%2Fsandbox.test%2F%253B%253E%2522%253E%253Cscript%253Ealert%25281%2529%253C%252Fscript%253E%2526type%253D" />

Since the entire URL got encoded, the link doesn't work as expected.

I'm using only htmlentities, then. Which got me the following tag and doesn't show the alert on page load.

<link rel="canonical" href="http://wp_sb.test/;&gt;&quot;\'&gt;&lt;script&gt;alert(1)&lt;/script&gt;&amp;type" />

@straube straube closed this as completed Jan 25, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Projects
None yet
Development

No branches or pull requests

2 participants