WordPress.org

Ready to get started?Download WordPress

Forums

WP-Members
[resolved] Cross-site scripting vulnerabilities (2 posts)

  1. hhr_web
    Member
    Posted 1 year ago #

    Our host has detected cross-site scripting vulnerabilities on the "a" and "thestate" parameters within your CGI files. At least from what I can tell from their log, it appears to be related to this plugin. Here is a part of their log:

    Using the GET HTTP method, Site Scanner found that :
    + The following resources may be vulnerable to injectable parameter :
    + The 'a' parameter of the /comic-strip-submitted-to-dee-cote/ CGI :
    /comic-strip-submitted-to-dee-cote/?a=%00rnrfrh
    -------- output --------
    <div class="entry-content">
    <input type="hidden" id="_wpnonce" name="_wpnonce" value="e13e251252" />
    <input type="hidden" name="_wp_http_referer" value="/comic-strip-submitt
    ed-to-dee-cote/?a=%00rnrfrh" /><p>This content is restricted to site mem
    bers. If you are an existing user, please login. New users may registe
    r below.</p>
    <div class="wpmem_login">
    <a name="login"></a></p>
    ------------------------
    + The 'thestate' parameter of the /morgenthau-list-being-added/ CGI :
    /morgenthau-list-being-added/?thestate=%00rnrfrh
    -------- output --------
    <div class="entry-content">
    <input type="hidden" id="_wpnonce" name="_wpnonce" value="e13e251252" />
    <input type="hidden" name="_wp_http_referer" value="/morgenthau-list-bei
    ng-added/?thestate=%00rnrfrh" /><p>This content is restricted to site me
    mbers. If you are an existing user, please login. New users may regist
    er below.</p>
    <div class="wpmem_login">
    <a name="login"></a></p>

    According to the following url regarding your 2.8.1 release, the cross-site scripting exploit has been closed: http://rocketgeek.com/release-announcements/wp-members-2-8-1-release/

    Can you confirm that this is still a valid issue and if so, when we might expect a new release to resolve it? Thanks.

    http://wordpress.org/extend/plugins/wp-members/

  2. Chad Butler
    Member
    Plugin Author

    Posted 1 year ago #

    Neither of these would represent a vulnerability.

    It is odd though that you would have thestate as a parameter in the querystring. I'm not 100% sure that would come from this plugin. When using the default form values that the plugin installs with, the value for State is passed as thestate. However, this is posted with the form, not passed as a querystring (the same as all other registration form values). All of the registration form values are only accepted as $_POSTed values and not $_REQUEST/$_GET.

    Likewise, the plugin does use an "a" parameter to pass actions, but again, when registering (accepting user input values), this is not passed as a querystring as it is shown above.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic