Support » Plugin: WordPress MU Domain Mapping » security issue with allowing users to map their own domains

  • Note there is a security hole in this plugin where if a user is allowed to map their own domains via the wp-admin tools interface, they can just enter a subdomain of the current wordpress network and take it over.

    So for example if wordpress.org was running mu and this plugin and you were at blah.wordpress.org and the admin menu was active, they can map news.wordpress.org over their blog

    There needs to be a security check that that the domain they entered is not a subdomain of the current network, even if it is not active.

    http://wordpress.org/plugins/wordpress-mu-domain-mapping/

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author Ron Rennick

    (@wpmuguru)

    While it is fair enough that It allows them to direct the subdomain URL to their own site, it is not a security issue.

    Doing that does not give them access to any data or admin screens that they did not already have access to.

    Thread Starter _ck_

    (@_ck_)

    It’s a security issue if users can control how your site behaves.

    The entire sanitation check is highly dubious in this plugin and not robust enough.

    $domain = $wpdb->escape( $_POST[ 'domain' ] );
                    if ( $domain == '' ) {
                            wp_die( "You must enter a domain" );
                    }
    if( null == $wpdb->get_row( "SELECT blog_id FROM {$wpdb->blogs} WHERE domain = ...
    && null == $wpdb->get_row( "SELECT blog_id FROM {$wpdb->dmtable} WHERE domain = ...'

    So a user can enter high ascii characters, unicode, leading dots, trailing dots, ip addresses, “localhost” and a whole bunch of other questionable entries that may cause undesired behavior.

    It would probably be a good idea to test if the domain entered

    1. is not an ip
    2. is dotted (not dotless or localhost)
    3. doesn’t contain the domain of the multisite home network
    4. actually has an rdns A record or CNAME
    5. that rdns resolves to the current network ip

    Plugin Author Ron Rennick

    (@wpmuguru)

    So a user can enter high ascii characters, unicode, leading dots, trailing dots, ip addresses, “localhost” and a whole bunch of other questionable entries that may cause undesired behavior.

    Agreed – however that does not make it a security issue.

    How about adding some filters so that _ck_ can add those checks they so chose?

    This is absolutely a security issue. Let us consider this scenario. Site-A gets 50,000 unique hits a day. User-B makes Site-B and maps Site-A’s domain and then plasters spam, porn, and affiliate crap everywhere. Site-A’s domain name has been compromised in this scenario. Let’s also imagine you fix that one scenario. User-B maps a subdomain of Site-A on his blog and now has http://free.Site-A.com pointing to his blog. In both cases Site-A’s domain name has been compromised by an unauthorized user.

    If you think one user jacking another users domain name is not a security issue, I think you need to think again.

    This plugin desperately needs the following:

    1.) Check to see if domain is mapped elsewhere.
    2.) Have a back end option checkbox that allows super admins to approve domain mappings that are submitted by a user.
    3.) A checkbox in the back end that allows or disallows users to map SUBDOMAINS of an already mapped domain. I.E if UserA only has http://SiteA.com mapped then UserB cannot map http://www.SiteA.com

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘security issue with allowing users to map their own domains’ is closed to new replies.