[Plugin: User Domain Whitelist] Whitelist security bug

I noticed today that the whitelist only matches on the end of the email string. (This is also true of the blacklist, though that isn’t as critical since at worst it would make registration more exclusive rather than inclusive.)

To test, put example.com into the whitelist and try registering with anything@hackedexample.com — the plugin allows this registration.

If a malicious user knew one of the whitelisted domains (perhaps revealed in the error message the site admin has set up), it would be a trivial matter to bypass the restriction and gain potentially unlimited registrations by acquiring a domain of the form [random]example.com.

The troublesome code is the substr() on line 128 (and line 115 for the blacklist). It checks back from the end of the string and is limited by the number of characters in the whitelisted domain — so it’s not guaranteed to match every character after the @ in the email address.

There are many possible solutions — one of which could be a regex-based solution for domain matching. You wouldn’t have to get too complicated with it since WordPress has a check built-in to make sure email addresses are well-formed during registration. Here’s a quick example, not guaranteed to be airtight (and overly wordy for clarity)…

$allowed_domain = 'example.com';
$is_valid_email_domain = false;
$registration_email = 'anything@hackedexample.com';
preg_match( '/@(.*)/', $registration_email, $matches );
$registration_email_domain = $matches[1];
if ($registration_email_domain === $allowed_domain) {
$is_valid_email_domain = true;
}

Thanks for your plugin, Warren — it was a very helpful drop-in solution for my site, and I appreciate the effort you’ve put into it!

http://wordpress.org/extend/plugins/user-domain-whitelist/