Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSRF #33

Closed
technote-space opened this issue Jan 5, 2020 · 1 comment
Closed

CSRF #33

technote-space opened this issue Jan 5, 2020 · 1 comment

Comments

@technote-space
Copy link

technote-space commented Jan 5, 2020
edited
Loading

概要

CSRFの脆弱性が存在します。

再現手順

POSTツールでログイン状態のクッキーとともに /wp-admin/plugins.php?page=wsgsf_settings に POST
api_key=任意の文字列

期待する動作

無関係のページ等から更新されないこと

スクリーンショット

202001052349
202001052350

発生した環境

  • WP v5.3.2
  • Chrome v79.0.3945.88
  • WP Simple Spreadsheet Fetcher for Google v0.3.6

補足

add_submenu_page は権限のチェックはありますが送信元のチェック等はありません。

form に token を埋め込み更新前にチェックするようにします。

wp-simple-spreadsheet-fetcher-for-google/wp-simple-spreadsheet-fetcher-for-google.php

Lines 66 to 70 in 041cd62

$html .= '<form id="wp2s2fg_api_spreadsheetId_form" action="' . htmlspecialchars( $_SERVER["PHP_SELF"] . '?' . $_SERVER["QUERY_STRING"] ) . '" method="POST" >';
$html .= '<div class="wp2s2fg_api_spreadsheetId_form_label">' . __( "API Key : ", 'wp-simple-spreadsheet-fetcher-for-google' ) .'</div><input type="text" name="api_key" placeholder="API-Key" value="' . esc_html( $api_key ) . '" required />';
$html .= '<br>';
$html .= '<input type="submit" value="Set Configuration Info" />';
$html .= '</form >';

wp-simple-spreadsheet-fetcher-for-google/wp-simple-spreadsheet-fetcher-for-google.php

Lines 96 to 100 in 041cd62

public function render_settings() {
if ( isset( $_POST['api_key'] )) {
wp2s2fg_set_api_key( sanitize_text_field( $_POST['api_key'] ) );
}

もしくはSettings APIを使用します。
https://developer.wordpress.org/plugins/settings/settings-api/
https://nskw-style.com/2014/wordpress/settings-api.html
@naogify naogify mentioned this issue Jan 5, 2020
Merged
@naogify
Copy link
Owner

naogify commented Jan 5, 2020

ご指摘ありがとうございます!
バージョン0.3.7で下のように修正しました。

wp-simple-spreadsheet-fetcher-for-google/wp-simple-spreadsheet-fetcher-for-google.php

Lines 66 to 71 in 7f7405e

$html .= '<form id="wp2s2fg_api_spreadsheetId_form" action="' . htmlspecialchars( $_SERVER["PHP_SELF"] . '?' . $_SERVER["QUERY_STRING"] ) . '" method="POST" >';
$html .= '<div class="wp2s2fg_api_spreadsheetId_form_label">' . __( "API Key : ", 'wp-simple-spreadsheet-fetcher-for-google' ) .'</div><input type="text" name="api_key" placeholder="API-Key" value="' . esc_html( $api_key ) . '" required />';
$html .= '<br>';
$html .= '<input type="submit" value="Set Configuration Info" />';
$html .= wp_nonce_field( wp_create_nonce( __FILE__ ), 'wp-simple-spreadsheet-fetcher-for-google-nonce' );
$html .= '</form >';

wp-simple-spreadsheet-fetcher-for-google/wp-simple-spreadsheet-fetcher-for-google.php

Lines 97 to 101 in 7f7405e

public function render_settings() {
if ( ! empty( $_POST['api_key'] ) && check_admin_referer( wp_create_nonce( __FILE__ ), 'wp-simple-spreadsheet-fetcher-for-google-nonce' ) ) {
wp2s2fg_set_api_key( sanitize_text_field( $_POST['api_key'] ) );
}

@naogify naogify closed this as completed Jan 5, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@naogify @technote-space