WordPress.org

Ready to get started?Download WordPress

Forums

WordPress MU Domain Mapping
security issue with allowing users to map their own domains (6 posts)

  1. _ck_
    Member
    Posted 10 months ago #

    Note there is a security hole in this plugin where if a user is allowed to map their own domains via the wp-admin tools interface, they can just enter a subdomain of the current wordpress network and take it over.

    So for example if wordpress.org was running mu and this plugin and you were at blah.wordpress.org and the admin menu was active, they can map news.wordpress.org over their blog

    There needs to be a security check that that the domain they entered is not a subdomain of the current network, even if it is not active.

    http://wordpress.org/plugins/wordpress-mu-domain-mapping/

  2. Ron Rennick
    MultiSite Guru
    Plugin Author

    Posted 10 months ago #

    While it is fair enough that It allows them to direct the subdomain URL to their own site, it is not a security issue.

    Doing that does not give them access to any data or admin screens that they did not already have access to.

  3. _ck_
    Member
    Posted 10 months ago #

    It's a security issue if users can control how your site behaves.

    The entire sanitation check is highly dubious in this plugin and not robust enough.

    $domain = $wpdb->escape( $_POST[ 'domain' ] );
                    if ( $domain == '' ) {
                            wp_die( "You must enter a domain" );
                    }
    if( null == $wpdb->get_row( "SELECT blog_id FROM {$wpdb->blogs} WHERE domain = ...
    && null == $wpdb->get_row( "SELECT blog_id FROM {$wpdb->dmtable} WHERE domain = ...'

    So a user can enter high ascii characters, unicode, leading dots, trailing dots, ip addresses, "localhost" and a whole bunch of other questionable entries that may cause undesired behavior.

    It would probably be a good idea to test if the domain entered

    1. is not an ip
    2. is dotted (not dotless or localhost)
    3. doesn't contain the domain of the multisite home network
    4. actually has an rdns A record or CNAME
    5. that rdns resolves to the current network ip

  4. Ron Rennick
    MultiSite Guru
    Plugin Author

    Posted 10 months ago #

    So a user can enter high ascii characters, unicode, leading dots, trailing dots, ip addresses, "localhost" and a whole bunch of other questionable entries that may cause undesired behavior.

    Agreed - however that does not make it a security issue.

  5. TCBarrett
    Member
    Posted 10 months ago #

    How about adding some filters so that _ck_ can add those checks they so chose?

  6. SysFailure0x5a
    Member
    Posted 10 months ago #

    This is absolutely a security issue. Let us consider this scenario. Site-A gets 50,000 unique hits a day. User-B makes Site-B and maps Site-A's domain and then plasters spam, porn, and affiliate crap everywhere. Site-A's domain name has been compromised in this scenario. Let's also imagine you fix that one scenario. User-B maps a subdomain of Site-A on his blog and now has http://free.Site-A.com pointing to his blog. In both cases Site-A's domain name has been compromised by an unauthorized user.

    If you think one user jacking another users domain name is not a security issue, I think you need to think again.

    This plugin desperately needs the following:

    1.) Check to see if domain is mapped elsewhere.
    2.) Have a back end option checkbox that allows super admins to approve domain mappings that are submitted by a user.
    3.) A checkbox in the back end that allows or disallows users to map SUBDOMAINS of an already mapped domain. I.E if UserA only has http://SiteA.com mapped then UserB cannot map http://www.SiteA.com

Reply

You must log in to post.

About this Plugin

About this Topic

Tags