WordPress › Support » [Plugin: Register Plus] XSS and Full Path Disclosure Vulnerabilities

Because the plugin fails to escape the data it outputs which were received from the user, a remote attacker can launch an XSS attack.
Advisory: http://websecurity.com.ua/4539
Patch:
diff -uwdBrN register-plus.orig/dash_widget.php register-plus/dash_widget.php
--- register-plus.orig/dash_widget.php	2011-02-13 14:16:22.000000000 +0200
+++ register-plus/dash_widget.php	2011-02-13 14:39:19.695898908 +0200
@@ -1,4 +1,5 @@
 <?php
+if (function_exists('add_action')) :
 if( !class_exists('RegisterPlusWidget') ){
 	class RegisterPlusWidget{
 		function RegisterPlusWidget() { //contructor
@@ -44,4 +45,5 @@

 // Start this plugin once all other plugins are fully loaded
 add_action( 'plugins_loaded', create_function( '', 'global $regplus_widget; $regplus_widget = new RegisterPlusWidget();' ) );
+endif;
 ?>
\ No EOL
diff -uwdBrN register-plus.orig/register-plus.php register-plus/register-plus.php
--- register-plus.orig/register-plus.php	2011-02-13 14:16:22.000000000 +0200
+++ register-plus/register-plus.php	2011-02-13 14:39:48.974291095 +0200
@@ -14,11 +14,28 @@
 See readme.txt
 */

+defined('ABSPATH') or die('');
+
 $rp = get_option( 'register_plus' ); //load options
 if( $rp['dash_widget'] ) //if dashboard widget is enabled
 	include_once('dash_widget.php'); //add the dashboard widget

 if( !class_exists('RegisterPlusPlugin') ){
+
+	if (!function_exists('esc_attr')) :
+		function esc_attr($s)
+		{
+			return attribute_escape($s);
+		}
+	endif;
+
+	if (!function_exists('esc_html')) :
+		function esc_html($s)
+		{
+			return wp_specialchars($s);
+		}
+	endif;
+
 	class RegisterPlusPlugin{
 		function RegisterPlusPlugin() { //constructor
 			global $wp_version;
@@ -1112,7 +1129,7 @@
 				if( isset( $_GET['firstname'] ) ) $_POST['firstname'] = $_GET['firstname'];
 			?>
    		<p><label><?php _e('First Name:', 'regplus');?> <br />
-		<input autocomplete="off" name="firstname" id="firstname" size="25" value="<?php echo $_POST['firstname'];?>" type="text" tabindex="30" /></label><br />
+		<input autocomplete="off" name="firstname" id="firstname" size="25" value="<?php echo esc_attr($_POST['firstname']);?>" type="text" tabindex="30" /></label><br />
         </p>
             <?php
 			}
@@ -1120,7 +1137,7 @@
 				if( isset( $_GET['lastname'] ) ) $_POST['lastname'] = $_GET['lastname'];
 			?>
    		<p><label><?php _e('Last Name:', 'regplus');?> <br />
-		<input autocomplete="off" name="lastname" id="lastname" size="25" value="<?php echo $_POST['lastname'];?>" type="text" tabindex="31" /></label><br />
+		<input autocomplete="off" name="lastname" id="lastname" size="25" value="<?php echo esc_attr($_POST['lastname']);?>" type="text" tabindex="31" /></label><br />
         </p>
             <?php
 			}
@@ -1128,7 +1145,7 @@
 				if( isset( $_GET['website'] ) ) $_POST['website'] = $_GET['website'];
 			?>
    		<p><label><?php _e('Website:', 'regplus');?> <br />
-		<input autocomplete="off" name="website" id="website" size="25" value="<?php echo $_POST['website'];?>" type="text" tabindex="32" /></label><br />
+		<input autocomplete="off" name="website" id="website" size="25" value="<?php echo esc_attr($_POST['website']);?>" type="text" tabindex="32" /></label><br />
         </p>
             <?php
 			}
@@ -1136,7 +1153,7 @@
 				if( isset( $_GET['aim'] ) ) $_POST['aim'] = $_GET['aim'];
 			?>
    		<p><label><?php _e('AIM:', 'regplus');?> <br />
-		<input autocomplete="off" name="aim" id="aim" size="25" value="<?php echo $_POST['aim'];?>" type="text" tabindex="32" /></label><br />
+		<input autocomplete="off" name="aim" id="aim" size="25" value="<?php echo esc_attr($_POST['aim']);?>" type="text" tabindex="32" /></label><br />
         </p>
             <?php
 			}
@@ -1144,7 +1161,7 @@
 				if( isset( $_GET['yahoo'] ) ) $_POST['yahoo'] = $_GET['yahoo'];
 			?>
    		<p><label><?php _e('Yahoo IM:', 'regplus');?> <br />
-		<input autocomplete="off" name="yahoo" id="yahoo" size="25" value="<?php echo $_POST['yahoo'];?>" type="text" tabindex="33" /></label><br />
+		<input autocomplete="off" name="yahoo" id="yahoo" size="25" value="<?php echo esc_attr($_POST['yahoo']);?>" type="text" tabindex="33" /></label><br />
         </p>
             <?php
 			}
@@ -1152,7 +1169,7 @@
 				if( isset( $_GET['jabber'] ) ) $_POST['jabber'] = $_GET['jabber'];
 			?>
    		<p><label><?php _e('Jabber / Google Talk:', 'regplus');?> <br />
-		<input autocomplete="off" name="jabber" id="jabber" size="25" value="<?php echo $_POST['jabber'];?>" type="text" tabindex="34" /></label><br />
+		<input autocomplete="off" name="jabber" id="jabber" size="25" value="<?php echo esc_attr($_POST['jabber']);?>" type="text" tabindex="34" /></label><br />
         </p>
             <?php
 			}
@@ -1160,7 +1177,7 @@
 				if( isset( $_GET['about'] ) ) $_POST['about'] = $_GET['about'];
 			?>
    		<p><label><?php _e('About Yourself:', 'regplus');?> <br />
-		<textarea autocomplete="off" name="about" id="about" cols="25" rows="5" tabindex="35"><?php echo stripslashes($_POST['about']);?></textarea></label><br />
+		<textarea autocomplete="off" name="about" id="about" cols="25" rows="5" tabindex="35"><?php echo esc_attr(stripslashes($_POST['about']));?></textarea></label><br />
         <small><?php _e('Share a little biographical information to fill out your profile. This may be shown publicly.', 'regplus');?></small>
         </p>
             <?php
@@ -1175,23 +1192,23 @@

         <?php if( $v['fieldtype'] == 'text' ){ ?>
         <p><label><?php echo $v['label'];?>: <br />
-		<input autocomplete="off" class="custom_field" tabindex="36" name="<?php echo $id;?>" id="<?php echo $id;?>" size="25" value="<?php echo $_POST[$id];?>" type="text" /></label><br /></p>
+		<input autocomplete="off" class="custom_field" tabindex="36" name="<?php echo esc_attr($id);?>" id="<?php echo esc_attr($id);?>" size="25" value="<?php echo esc_attr($_POST[$id]);?>" type="text" /></label><br /></p>

         <?php } else if( $v['fieldtype'] == 'date' ){ ?>
         <p><label><?php echo $v['label'];?>: <br />
-		<input autocomplete="off" class="custom_field date-pick" tabindex="36" name="<?php echo $id;?>" id="<?php echo $id;?>" size="25" value="<?php echo $_POST[$id];?>" type="text" /></label><br /></p>
+		<input autocomplete="off" class="custom_field date-pick" tabindex="36" name="<?php echo esc_attr($id);?>" id="<?php echo esc_attr($id);?>" size="25" value="<?php echo esc_attr($_POST[$id]);?>" type="text" /></label><br /></p>

 		<?php } else if( $v['fieldtype'] == 'select' ){
 			$ops = explode(',',$v['extraoptions']);
 				$options='';
 			foreach( $ops as $op ){
-				$options .= '<option value="'.$op.'" ';
+				$options .= '<option value="'.esc_attr($op).'" ';
 				if( $_POST[$id] == $op ) $options .= 'selected="selected"';
-				$options .= '>' . $op . '</option>';
+				$options .= '>' . esc_attr($op) . '</option>';
 			}
 		?>
         <p><label><?php echo $v['label'];?>: <br />
-        <select class="custom_select" tabindex="36" name="<?php echo $id;?>" id="<?php echo $id;?>">
+        <select class="custom_select" tabindex="36" name="<?php echo esc_attr($id);?>" id="<?php echo esc_attr($id);?>">
         	<?php echo $options;?>
         </select></label><br /></p>

@@ -1199,9 +1216,9 @@
 				$ops = explode(',',$v['extraoptions']);
 				$check='';
 				foreach( $ops as $op ){
-					$check .= '<label><input type="checkbox" class="custom_checkbox" tabindex="36" name="'.$id.'[]" id="'.$id.'" ';
+					$check .= '<label><input type="checkbox" class="custom_checkbox" tabindex="36" name="'.esc_attr($id).'[]" id="'.esc_attr($id).'" ';
 					//if( in_array($op, $_POST[$id]) ) $check .= 'checked="checked" ';
-					$check .= 'value="'.$op.'" /> '.$op.'</label> ';
+					$check .= 'value="'.esc_attr($op).'" /> '.esc_attr($op).'</label> ';
 				}
 				?>
                 <p><label><?php echo $v['label'];?>:</label> <br /><?php
@@ -1211,9 +1228,9 @@
 				$ops = explode(',',$v['extraoptions']);
 				$radio = '';
 				foreach( $ops as $op ){
-					$radio .= '<label><input type="radio" class="custom_radio" tabindex="36" name="'.$id.'" id="'.$id.'" ';
+					$radio .= '<label><input type="radio" class="custom_radio" tabindex="36" name="'.esc_attr($id).'" id="'.esc_attr($id).'" ';
 					//if( in_array($op, $_POST[$id]) ) $radio .= 'checked="checked" ';
-					$radio .= 'value="'.$op.'" /> '.$op.'</label> ';
+					$radio .= 'value="'.esc_attr($op).'" /> '.esc_attr($op).'</label> ';
 				}
 				?>
                 <p><label><?php echo $v['label'];?>:</label> <br /><?php
@@ -1221,10 +1238,10 @@

 			} else if( $v['fieldtype'] == 'textarea' ){ ?>
             <p><label><?php echo $v['label'];?>: <br />
-		<textarea tabindex="36" name="<?php echo $id;?>" cols="25" rows="5" id="<?php echo $id;?>" class="custom_textarea"><?php echo $_POST[$id];?></textarea></label><br /></p>
+		<textarea tabindex="36" name="<?php echo esc_attr($id);?>" cols="25" rows="5" id="<?php echo esc_attr($id);?>" class="custom_textarea"><?php echo esc_html($_POST[$id]);?></textarea></label><br /></p>

 		<?php } else if( $v['fieldtype'] == 'hidden' ){ ?>
-		<input class="custom_field" tabindex="36" name="<?php echo $id;?>" value="<?php echo $_POST[$id];?>" type="hidden" />
+		<input class="custom_field" tabindex="36" name="<?php echo esc_attr($id);?>" value="<?php echo esc_attr($_POST[$id]);?>" type="hidden" />
         <?php } ?>		

 		<?php	}
@@ -1234,9 +1251,9 @@
 			if ( $regplus['password'] ){
 			?>
         <p><label><?php _e('Password:', 'regplus');?> <br />
-		<input autocomplete="off" name="pass1" id="pass1" size="25" value="<?php echo $_POST['pass1'];?>" type="password" tabindex="40" /></label><br />
+		<input autocomplete="off" name="pass1" id="pass1" size="25" value="<?php echo esc_attr($_POST['pass1']);?>" type="password" tabindex="40" /></label><br />
         <label><?php _e('Confirm Password:', 'regplus');?> <br />
-        <input autocomplete="off" name="pass2" id="pass2" size="25" value="<?php echo $_POST['pass2'];?>" type="password" tabindex="41" /></label>
+        <input autocomplete="off" name="pass2" id="pass2" size="25" value="<?php echo esc_attr($_POST['pass2']);?>" type="password" tabindex="41" /></label>
         <?php if( $regplus['password_meter'] ){ ?><br />
         <span id="pass-strength-result"><?php echo $regplus['short'];?></span>
 		<small><?php _e('Hint: Use upper and lower case characters, numbers and symbols like !"?$%^&( in your password.', 'regplus'); ?> </small><?php } ?></p>
@@ -1246,7 +1263,7 @@
 				if( isset( $_GET['regcode'] ) ) $_POST['regcode'] = $_GET['regcode'];
 			?>
         <p><label><?php _e('Invitation Code:', 'regplus');?> <br />
-		<input name="regcode" id="regcode" size="25" value="<?php echo $_POST['regcode'];?>" type="text" tabindex="45" /></label><br />
+		<input name="regcode" id="regcode" size="25" value="<?php echo esc_attr($_POST['regcode']);?>" type="text" tabindex="45" /></label><br />
         <?php if ($regplus['code_req']) {?>
 		<small><?php _e('This website is currently closed to public registrations.  You will need an invitation code to register.', 'regplus');?></small>
         <?php }else{ ?>
The patch can also be downloaded from http://blog.sjinks.pro/security/895-register-plus-xss-vulnerability/
http://wordpress.org/extend/plugins/register-plus/
WordPress.org

Forums

Register Plus
XSS and Full Path Disclosure Vulnerabilities (2 posts)

Topic Closed

About this Plugin

About this Topic

Tags

Code is Poetry

WordPress.org

Forums

Register Plus XSS and Full Path Disclosure Vulnerabilities (2 posts)

Topic Closed

About this Plugin

About this Topic

Tags

Code is Poetry

Register Plus
XSS and Full Path Disclosure Vulnerabilities (2 posts)
