-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CSRF #33
Comments
Merged
ご指摘ありがとうございます! wp-simple-spreadsheet-fetcher-for-google/wp-simple-spreadsheet-fetcher-for-google.php Lines 66 to 71 in 7f7405e
wp-simple-spreadsheet-fetcher-for-google/wp-simple-spreadsheet-fetcher-for-google.php Lines 97 to 101 in 7f7405e
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
概要
CSRFの脆弱性が存在します。
再現手順
POSTツールでログイン状態のクッキーとともに
/wp-admin/plugins.php?page=wsgsf_settings
に POSTapi_key=任意の文字列
期待する動作
無関係のページ等から更新されないこと
スクリーンショット
発生した環境
補足
add_submenu_page は権限のチェックはありますが送信元のチェック等はありません。
form に token を埋め込み更新前にチェックするようにします。
wp-simple-spreadsheet-fetcher-for-google/wp-simple-spreadsheet-fetcher-for-google.php
Lines 66 to 70 in 041cd62
wp-simple-spreadsheet-fetcher-for-google/wp-simple-spreadsheet-fetcher-for-google.php
Lines 96 to 100 in 041cd62
もしくはSettings APIを使用します。
https://developer.wordpress.org/plugins/settings/settings-api/
https://nskw-style.com/2014/wordpress/settings-api.html
The text was updated successfully, but these errors were encountered: