2.8.6 fixes two security problems that can be exploited by registered, logged in users who have posting privileges. If you have untrusted authors on your blog, upgrading to 2.8.6 is recommended. The first problem is an XSS vulnerability in Press This. The second problem is an issue with sanitizing uploaded file names that can be exploited in certain Apache configurations.
Is it interesting for you what changes were made in terms of PHP source code? Let’s try to discover WordPress 2.8.6 Security Release details together.
There are 8 updated files in WordPress 2.8.6 Security Release installation package in comparison with 2.8.5 version:
- /readme.html
- /wp-admin/press-this.php
- /wp-content/plugins/akismet/akismet.php
- /wp-content/plugins/akismet/akismet.readme.txt
- /wp-includes/formatting.php
- /wp-includes/functions.php
- /wp-includes/js/swfupload/plugins/swfupload.speed.js
- /wp-includes/version.php
readme.html – WordPress version number from 2.8.5 to 2.8.6 was changed only in this file
press-this.php – 1st change we see at lines 93, 94. Look at 2.8.5. code
$title = isset($_GET['t']) ? esc_html(aposfix(stripslashes($_GET['t']))) : ''; $selection = isset($_GET['s']) ? trim( aposfix( stripslashes($_GET['s']) ) ) : ''; |
and 2.8.6 code
$title = isset( $_GET['t'] ) ? trim( strip_tags( aposfix( stripslashes( $_GET['t'] ) ) ) ) : ''; $selection = isset( $_GET['s'] ) ? trim( htmlspecialchars( html_entity_decode( aposfix( stripslashes( $_GET['s'] ) ) ) ) ) : ''; |
As you can see we have more secure code here:
– esc_html()
was change to strip_tags()
for the $title
value;
– htmlspecialchars()
and html_entity_decode()
functions added for the $selection
value.
Second change we have at line 120 of press-this.php
file. 2.8.5 version
<textarea name="embed-code" id="embed-code" rows="8" cols="40"><?php echo format_to_edit($selection, true); ?></textarea> |
2.8.6 version
<textarea name="embed-code" id="embed-code" rows="8" cols="40"><?php echo wp_htmledit_pre( $selection ); ?></textarea> |
Thus, echo format_to_edit()
function was changed to wp_htmledit_pre()
function here.
And the last press-this.php
change we can find at lines 551, 552. Version 2.8.5 was
<?php if ($selection) echo wp_richedit_pre(htmlspecialchars_decode($selection)); ?> <?php if ($url) { echo '<p>'; if($selection) _e('via '); echo "$title."; echo '</p>'; } ?> |
Version 2.8.6 become
<?php if ($selection) echo wp_richedit_pre( $selection ); ?> <?php if ($url) { echo '<p>'; if($selection) _e('via '); printf( "%s.", esc_url( $url ), esc_html( $title ) ); echo '</p>'; } ?> |
$url
and $title
values are escaped with esc_url()
and esc_html()
functions now there.
akismet/readme.txt – comparing of akismet plugin readme.txt from 2.8.5 version with readme.txt is included into 2.8.6 one shows that:
– New contributor automattic was added;
– Plugin is tested up to 2.8.5 WP version now;
– There is no version number change here. It is still 2.2.7, but some change log items for it were added:
* Reduce the possibility of over-counting spam when another spam filter plugin is in use;
* Disable the connectivity check when the API key is hard-coded for WPMU.
I not show akismet.php source code changes here as it is the plugin but not core WP code territory.
formatting.php – in this file function sanitize_file_name()
was changed. Compare code from line 607. Version 2.8.5
$filename = trim($filename, '.-_'); return apply_filters('sanitize_file_name', $filename, $filename_raw); |
Version 2.8.6
$filename = trim($filename, '.-_'); // Split the filename into a base and extension[s] $parts = explode('.', $filename); // Return if only one extension if ( count($parts) <= 2 ) return apply_filters('sanitize_file_name', $filename, $filename_raw); // Process multiple extensions $filename = array_shift($parts); $extension = array_pop($parts); $mimes = get_allowed_mime_types(); // Loop over any intermediate extensions. Munge them with a trailing underscore if they are a 2 - 5 character // long alpha string not in the extension whitelist. foreach ( (array) $parts as $part) { $filename .= '.' . $part; if ( preg_match("/^[a-zA-Z]{2,5}\d?$/", $part) ) { $allowed = false; foreach ( $mimes as $ext_preg => $mime_match ) { $ext_preg = '!(^' . $ext_preg . ')$!i'; if ( preg_match( $ext_preg, $part ) ) { $allowed = true; break; } } if ( !$allowed ) $filename .= '_'; } } $filename .= '.' . $extension; return apply_filters('sanitize_file_name', $filename, $filename_raw); |
This code explicitly shows us about what kind of vulnerability in the uploaded file names was written in the short official WP 2.8.6 Security Update Release description. It is specially built file names with multiple extensions, e.g. image.jpg.php
I think. Thus that vulnerability allowed to updload malicious php script on attacked site and execute it then.
functions.php – 1st, function wp_check_filetype()
was changed at line 2228. List of allowed mime types and file extensions definition code was moved into separate function get_allowed_mime_types()
, which is used in the sanitize_file_name()
function from formatting.php
mentioned above.
swfupload.speed.js – There is no changes in the code found, differense exists just in the text formatting.
version.php – $wp_version
variable value was changed from 2.8.5 to 2.8.6 only.
Finally, this update says all of us, php web developers, again that we need to put more attention for build more secure code. If we process any user input we MUST to make such content as secure as possible before store it in the web site database or file system.