我想知道此代码中是否存在任何安全漏洞:
<?php
/*
Plugin Name: Dashboard Switcher
Plugin URI: http://wordpress.org/extend/plugins/dashboard-switcher/
Description: Adds a dropdown list of the sites with every site owned in a network to quickly switch between them.
Version: 0.1
Author: Ezequiel Livinsky
Author URI: http://livindev.com.ar
*/
add_action('in_admin_header', 'own_favorite_actions');
function own_favorite_actions() {
if(!is_super_admin()) return;
global $wpdb, $current_blog;
$blogs = $wpdb->get_results("SELECT domain FROM $wpdb->blogs WHERE blog_id <> $current_blog->blog_id", ARRAY_A);
$actions = array();
foreach($blogs as $row){
$url = 'http://'.$row['domain'].$_SERVER['REQUEST_URI'];
$actions[$url] = $row['domain'];
}
$first = array_keys($actions);
$first = $first[0];
echo '<div id="favorite-actions">';
echo '<div id="favorite-first"><a href="' . $first . '">' . $actions[$first] . '</a></div><div id="favorite-toggle"><br /></div>';
echo '<div id="favorite-inside">';
foreach ( $actions as $action => $label) {
echo "<div class='favorite-action'><a href='$action'>";
echo $label;
echo "</a></div>\n";
}
echo "</div></div>\n";
}
?>
答案 0 :(得分:8)
是的,$_SERVER['REQUEST_URI']通过$ action和$ first输出而没有任何清理(即.htmlspecialchars),因此它提供了一个XSS(跨站点脚本)漏洞。
例如,/index.php?foo="><script>alert("hi!");</script><"
将输出为<a href="/index.php?foo="><script>alert("hi!");</script><">label</a>,允许攻击者提供从您的域运行javascript的网址。
这可能会在magic_quotes_gpc的实践中得到缓解,但它仍然是一个值得注意的漏洞,应该修复。