> 2008/11/7 Andrea De Iacovo <[EMAIL PROTECTED]>: > > Il giorno ven, 07/11/2008 alle 15.36 -0600, Raphael Geissert ha scritto: > >> > >> You can also set cookies via javascript code, e.g. > >> <script>document.cookie = "GLOBALS=1;domain=.domain.tld"; </script> > > > > ok that's true. > > > > So let's see what we have: > > 1. $_REQUEST references are widely used in wordpress. > > 2. the standard EGPCS makes cookies overwrite GET and POST values in > > $_REQUEST > > 3. such values are used in "dangerous" cases (such as user deletion or > > logout after redirection). > > 4. "grave" data loss (user, post, comments deletion) could be avoided > > not logging in as administrator (but only as a user with some > > privileges) > > All fine, although 4 is more a social than a technical problem, as > there is no way we can force users to do that (although I definitely > agree that it is a way to mitigate many possible issues).
As for sure I can mention something in the readme file with the next
release.
>
> > 5. the issue is related to wordpress only and does not influence other
> > parts of the system
> > 6. we can try to prepare a workaround while we wait an officile fix from
> > upstream: maybe I could implement a function to check out if dangerous
> > cookies are present and stop any other operation until those cookies are
> > not removed.
>
> You better not, that's how the GLOBALS DoS work.
I think I did not explain this well.
GLOBALS DoS works because the application simply dies without explicit
errors or something like that.
I think I could do something like:
function check_maliciuos_cookies(){
$malicius = array("action", "GLOBALS", "ANYTHING_ELSE");
foreach ($_COOKIES as $cname => $cvalue)
foreach ($malicious as $mname => $mvalue)
if ($cname == $mname)
die("Malicious cookie detected. Please
delete cookies for this host
and come back");
}
Obviously the code should have a better optimization, this was just an
example.
Richard, the solution you suggested would make me modify the whole
wordpress code. For such great changes I think it's better to work with
upstream.
Thank you all.
Cheers.
Andrea
signature.asc
Description: Questa รจ una parte del messaggio firmata digitalmente
