[Plugin: Register Plus] XSS and Full Path Disclosure Vulnerabilities

  • Vladimir Kolesnikov

    (@vladimir_kolesnikov)


    13 years, 2 months ago

    Because the plugin fails to escape the data it outputs which were received from the user, a remote attacker can launch an XSS attack.

    Advisory: http://websecurity.com.ua/4539

    Patch:

    diff -uwdBrN register-plus.orig/dash_widget.php register-plus/dash_widget.php
--- register-plus.orig/dash_widget.php	2011-02-13 14:16:22.000000000 +0200
+++ register-plus/dash_widget.php	2011-02-13 14:39:19.695898908 +0200
@@ -1,4 +1,5 @@
 <?php
+if (function_exists('add_action')) :
 if( !class_exists('RegisterPlusWidget') ){
 	class RegisterPlusWidget{
 		function RegisterPlusWidget() { //contructor
@@ -44,4 +45,5 @@

 // Start this plugin once all other plugins are fully loaded
 add_action( 'plugins_loaded', create_function( '', 'global $regplus_widget; $regplus_widget = new RegisterPlusWidget();' ) );
+endif;
 ?>
\ No EOL
diff -uwdBrN register-plus.orig/register-plus.php register-plus/register-plus.php
--- register-plus.orig/register-plus.php	2011-02-13 14:16:22.000000000 +0200
+++ register-plus/register-plus.php	2011-02-13 14:39:48.974291095 +0200
@@ -14,11 +14,28 @@
 See readme.txt
 */

+defined('ABSPATH') or die('');
+
 $rp = get_option( 'register_plus' ); //load options
 if( $rp['dash_widget'] ) //if dashboard widget is enabled
 	include_once('dash_widget.php'); //add the dashboard widget

 if( !class_exists('RegisterPlusPlugin') ){
+
+	if (!function_exists('esc_attr')) :
+		function esc_attr($s)
+		{
+			return attribute_escape($s);
+		}
+	endif;
+
+	if (!function_exists('esc_html')) :
+		function esc_html($s)
+		{
+			return wp_specialchars($s);
+		}
+	endif;
+
 	class RegisterPlusPlugin{
 		function RegisterPlusPlugin() { //constructor
 			global $wp_version;
@@ -1112,7 +1129,7 @@
 				if( isset( $_GET['firstname'] ) ) $_POST['firstname'] = $_GET['firstname'];
 			?>
    		<p><label><?php _e('First Name:', 'regplus');?> <br />
-		<input autocomplete="off" name="firstname" id="firstname" size="25" value="<?php echo $_POST['firstname'];?>" type="text" tabindex="30" /></label><br />
+		<input autocomplete="off" name="firstname" id="firstname" size="25" value="<?php echo esc_attr($_POST['firstname']);?>" type="text" tabindex="30" /></label><br />
         </p>
             <?php
 			}
@@ -1120,7 +1137,7 @@
 				if( isset( $_GET['lastname'] ) ) $_POST['lastname'] = $_GET['lastname'];
 			?>
    		<p><label><?php _e('Last Name:', 'regplus');?> <br />
-		<input autocomplete="off" name="lastname" id="lastname" size="25" value="<?php echo $_POST['lastname'];?>" type="text" tabindex="31" /></label><br />
+		<input autocomplete="off" name="lastname" id="lastname" size="25" value="<?php echo esc_attr($_POST['lastname']);?>" type="text" tabindex="31" /></label><br />
         </p>
             <?php
 			}
@@ -1128,7 +1145,7 @@
 				if( isset( $_GET['website'] ) ) $_POST['website'] = $_GET['website'];
 			?>
    		<p><label><?php _e('Website:', 'regplus');?> <br />
-		<input autocomplete="off" name="website" id="website" size="25" value="<?php echo $_POST['website'];?>" type="text" tabindex="32" /></label><br />
+		<input autocomplete="off" name="website" id="website" size="25" value="<?php echo esc_attr($_POST['website']);?>" type="text" tabindex="32" /></label><br />
         </p>
             <?php
 			}
@@ -1136,7 +1153,7 @@
 				if( isset( $_GET['aim'] ) ) $_POST['aim'] = $_GET['aim'];
 			?>
    		<p><label><?php _e('AIM:', 'regplus');?> <br />
-		<input autocomplete="off" name="aim" id="aim" size="25" value="<?php echo $_POST['aim'];?>" type="text" tabindex="32" /></label><br />
+		<input autocomplete="off" name="aim" id="aim" size="25" value="<?php echo esc_attr($_POST['aim']);?>" type="text" tabindex="32" /></label><br />
         </p>
             <?php
 			}
@@ -1144,7 +1161,7 @@
 				if( isset( $_GET['yahoo'] ) ) $_POST['yahoo'] = $_GET['yahoo'];
 			?>
    		<p><label><?php _e('Yahoo IM:', 'regplus');?> <br />
-		<input autocomplete="off" name="yahoo" id="yahoo" size="25" value="<?php echo $_POST['yahoo'];?>" type="text" tabindex="33" /></label><br />
+		<input autocomplete="off" name="yahoo" id="yahoo" size="25" value="<?php echo esc_attr($_POST['yahoo']);?>" type="text" tabindex="33" /></label><br />
         </p>
             <?php
 			}
@@ -1152,7 +1169,7 @@
 				if( isset( $_GET['jabber'] ) ) $_POST['jabber'] = $_GET['jabber'];
 			?>
    		<p><label><?php _e('Jabber / Google Talk:', 'regplus');?> <br />
-		<input autocomplete="off" name="jabber" id="jabber" size="25" value="<?php echo $_POST['jabber'];?>" type="text" tabindex="34" /></label><br />
+		<input autocomplete="off" name="jabber" id="jabber" size="25" value="<?php echo esc_attr($_POST['jabber']);?>" type="text" tabindex="34" /></label><br />
         </p>
             <?php
 			}
@@ -1160,7 +1177,7 @@
 				if( isset( $_GET['about'] ) ) $_POST['about'] = $_GET['about'];
 			?>
    		<p><label><?php _e('About Yourself:', 'regplus');?> <br />
-		<textarea autocomplete="off" name="about" id="about" cols="25" rows="5" tabindex="35"><?php echo stripslashes($_POST['about']);?></textarea></label><br />
+		<textarea autocomplete="off" name="about" id="about" cols="25" rows="5" tabindex="35"><?php echo esc_attr(stripslashes($_POST['about']));?></textarea></label><br />
         <small><?php _e('Share a little biographical information to fill out your profile. This may be shown publicly.', 'regplus');?></small>
         </p>
             <?php
@@ -1175,23 +1192,23 @@

         <?php if( $v['fieldtype'] == 'text' ){ ?>
         <p><label><?php echo $v['label'];?>: <br />
-		<input autocomplete="off" class="custom_field" tabindex="36" name="<?php echo $id;?>" id="<?php echo $id;?>" size="25" value="<?php echo $_POST[$id];?>" type="text" /></label><br /></p>
+		<input autocomplete="off" class="custom_field" tabindex="36" name="<?php echo esc_attr($id);?>" id="<?php echo esc_attr($id);?>" size="25" value="<?php echo esc_attr($_POST[$id]);?>" type="text" /></label><br /></p>

         <?php } else if( $v['fieldtype'] == 'date' ){ ?>
         <p><label><?php echo $v['label'];?>: <br />
-		<input autocomplete="off" class="custom_field date-pick" tabindex="36" name="<?php echo $id;?>" id="<?php echo $id;?>" size="25" value="<?php echo $_POST[$id];?>" type="text" /></label><br /></p>
+		<input autocomplete="off" class="custom_field date-pick" tabindex="36" name="<?php echo esc_attr($id);?>" id="<?php echo esc_attr($id);?>" size="25" value="<?php echo esc_attr($_POST[$id]);?>" type="text" /></label><br /></p>

 		<?php } else if( $v['fieldtype'] == 'select' ){
 			$ops = explode(',',$v['extraoptions']);
 				$options='';
 			foreach( $ops as $op ){
-				$options .= '<option value="'.$op.'" ';
+				$options .= '<option value="'.esc_attr($op).'" ';
 				if( $_POST[$id] == $op ) $options .= 'selected="selected"';
-				$options .= '>' . $op . '</option>';
+				$options .= '>' . esc_attr($op) . '</option>';
 			}
 		?>
         <p><label><?php echo $v['label'];?>: <br />
-        <select class="custom_select" tabindex="36" name="<?php echo $id;?>" id="<?php echo $id;?>">
+        <select class="custom_select" tabindex="36" name="<?php echo esc_attr($id);?>" id="<?php echo esc_attr($id);?>">
         	<?php echo $options;?>
         </select></label><br /></p>

@@ -1199,9 +1216,9 @@
 				$ops = explode(',',$v['extraoptions']);
 				$check='';
 				foreach( $ops as $op ){
-					$check .= '<label><input type="checkbox" class="custom_checkbox" tabindex="36" name="'.$id.'[]" id="'.$id.'" ';
+					$check .= '<label><input type="checkbox" class="custom_checkbox" tabindex="36" name="'.esc_attr($id).'[]" id="'.esc_attr($id).'" ';
 					//if( in_array($op, $_POST[$id]) ) $check .= 'checked="checked" ';
-					$check .= 'value="'.$op.'" /> '.$op.'</label> ';
+					$check .= 'value="'.esc_attr($op).'" /> '.esc_attr($op).'</label> ';
 				}
 				?>
                 <p><label><?php echo $v['label'];?>:</label> <br /><?php
@@ -1211,9 +1228,9 @@
 				$ops = explode(',',$v['extraoptions']);
 				$radio = '';
 				foreach( $ops as $op ){
-					$radio .= '<label><input type="radio" class="custom_radio" tabindex="36" name="'.$id.'" id="'.$id.'" ';
+					$radio .= '<label><input type="radio" class="custom_radio" tabindex="36" name="'.esc_attr($id).'" id="'.esc_attr($id).'" ';
 					//if( in_array($op, $_POST[$id]) ) $radio .= 'checked="checked" ';
-					$radio .= 'value="'.$op.'" /> '.$op.'</label> ';
+					$radio .= 'value="'.esc_attr($op).'" /> '.esc_attr($op).'</label> ';
 				}
 				?>
                 <p><label><?php echo $v['label'];?>:</label> <br /><?php
@@ -1221,10 +1238,10 @@

 			} else if( $v['fieldtype'] == 'textarea' ){ ?>
             <p><label><?php echo $v['label'];?>: <br />
-		<textarea tabindex="36" name="<?php echo $id;?>" cols="25" rows="5" id="<?php echo $id;?>" class="custom_textarea"><?php echo $_POST[$id];?></textarea></label><br /></p>
+		<textarea tabindex="36" name="<?php echo esc_attr($id);?>" cols="25" rows="5" id="<?php echo esc_attr($id);?>" class="custom_textarea"><?php echo esc_html($_POST[$id]);?></textarea></label><br /></p>

 		<?php } else if( $v['fieldtype'] == 'hidden' ){ ?>
-		<input class="custom_field" tabindex="36" name="<?php echo $id;?>" value="<?php echo $_POST[$id];?>" type="hidden" />
+		<input class="custom_field" tabindex="36" name="<?php echo esc_attr($id);?>" value="<?php echo esc_attr($_POST[$id]);?>" type="hidden" />
         <?php } ?>		

 		<?php	}
@@ -1234,9 +1251,9 @@
 			if ( $regplus['password'] ){
 			?>
         <p><label><?php _e('Password:', 'regplus');?> <br />
-		<input autocomplete="off" name="pass1" id="pass1" size="25" value="<?php echo $_POST['pass1'];?>" type="password" tabindex="40" /></label><br />
+		<input autocomplete="off" name="pass1" id="pass1" size="25" value="<?php echo esc_attr($_POST['pass1']);?>" type="password" tabindex="40" /></label><br />
         <label><?php _e('Confirm Password:', 'regplus');?> <br />
-        <input autocomplete="off" name="pass2" id="pass2" size="25" value="<?php echo $_POST['pass2'];?>" type="password" tabindex="41" /></label>
+        <input autocomplete="off" name="pass2" id="pass2" size="25" value="<?php echo esc_attr($_POST['pass2']);?>" type="password" tabindex="41" /></label>
         <?php if( $regplus['password_meter'] ){ ?><br />
         <span id="pass-strength-result"><?php echo $regplus['short'];?></span>
 		<small><?php _e('Hint: Use upper and lower case characters, numbers and symbols like !"?$%^&( in your password.', 'regplus'); ?> </small><?php } ?></p>
@@ -1246,7 +1263,7 @@
 				if( isset( $_GET['regcode'] ) ) $_POST['regcode'] = $_GET['regcode'];
 			?>
         <p><label><?php _e('Invitation Code:', 'regplus');?> <br />
-		<input name="regcode" id="regcode" size="25" value="<?php echo $_POST['regcode'];?>" type="text" tabindex="45" /></label><br />
+		<input name="regcode" id="regcode" size="25" value="<?php echo esc_attr($_POST['regcode']);?>" type="text" tabindex="45" /></label><br />
         <?php if ($regplus['code_req']) {?>
 		<small><?php _e('This website is currently closed to public registrations.  You will need an invitation code to register.', 'regplus');?></small>
         <?php }else{ ?>

    The patch can also be downloaded from http://blog.sjinks.pro/security/895-register-plus-xss-vulnerability/

    http://wordpress.org/extend/plugins/register-plus/

Viewing 1 replies (of 1 total)
Viewing 1 replies (of 1 total)
  • The topic ‘[Plugin: Register Plus] XSS and Full Path Disclosure Vulnerabilities’ is closed to new replies.