Support » Plugin: WP-Members Membership Plugin » Cross-site scripting vulnerabilities

  • Resolved hhr_web

    (@hhr_web)


    Our host has detected cross-site scripting vulnerabilities on the “a” and “thestate” parameters within your CGI files. At least from what I can tell from their log, it appears to be related to this plugin. Here is a part of their log:

    Using the GET HTTP method, Site Scanner found that :
    + The following resources may be vulnerable to injectable parameter :
    + The 'a' parameter of the /comic-strip-submitted-to-dee-cote/ CGI :
    /comic-strip-submitted-to-dee-cote/?a=%00rnrfrh
    -------- output --------
    <div class="entry-content">
    <input type="hidden" id="_wpnonce" name="_wpnonce" value="e13e251252" />
    <input type="hidden" name="_wp_http_referer" value="/comic-strip-submitt
    ed-to-dee-cote/?a=%00rnrfrh" /><p>This content is restricted to site mem
    bers. If you are an existing user, please login. New users may registe
    r below.</p>
    <div class="wpmem_login">
    <a name="login"></a></p>
    ------------------------
    + The 'thestate' parameter of the /morgenthau-list-being-added/ CGI :
    /morgenthau-list-being-added/?thestate=%00rnrfrh
    -------- output --------
    <div class="entry-content">
    <input type="hidden" id="_wpnonce" name="_wpnonce" value="e13e251252" />
    <input type="hidden" name="_wp_http_referer" value="/morgenthau-list-bei
    ng-added/?thestate=%00rnrfrh" /><p>This content is restricted to site me
    mbers. If you are an existing user, please login. New users may regist
    er below.</p>
    <div class="wpmem_login">
    <a name="login"></a></p>

    According to the following url regarding your 2.8.1 release, the cross-site scripting exploit has been closed: http://rocketgeek.com/release-announcements/wp-members-2-8-1-release/

    Can you confirm that this is still a valid issue and if so, when we might expect a new release to resolve it? Thanks.

    http://wordpress.org/extend/plugins/wp-members/

Viewing 1 replies (of 1 total)
  • Plugin Author Chad Butler

    (@cbutlerjr)

    Neither of these would represent a vulnerability.

    It is odd though that you would have thestate as a parameter in the querystring. I’m not 100% sure that would come from this plugin. When using the default form values that the plugin installs with, the value for State is passed as thestate. However, this is posted with the form, not passed as a querystring (the same as all other registration form values). All of the registration form values are only accepted as $_POSTed values and not $_REQUEST/$_GET.

    Likewise, the plugin does use an “a” parameter to pass actions, but again, when registering (accepting user input values), this is not passed as a querystring as it is shown above.

Viewing 1 replies (of 1 total)
  • The topic ‘Cross-site scripting vulnerabilities’ is closed to new replies.