Codebase list phpggc / a334346 gadgetchains / WordPress / generic / gadgets.php
a334346

Tree @a334346 (Download .tar.gz)

gadgets.php @a334346raw · history · blame 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
<?php

/*
	Some notes about how WordPress processes stuff, hopeful saving you some sanity when trying Gadgets.

	In the Front-end, when WordPress is loaded, all $_GET and $_POST
	are passed through add_magic_quotes() [1] which will then call addslashes() [2]. So if the payload is retrieved from
	$_GET/$_POST/$_REQUEST/get_query_var while WordPress is loaded, it will be escaped, leading to an Offset error when unserialized.
	This should be a rare case, as it would mean that the code of the plugin/theme would not even work with legitimate and harmless serialized data. Workarounds seen done by plugin/theme creators to avoid that: base64_decode()/stripslashes()/wp_unslash() the query var/s.

	[1] https://github.com/WordPress/WordPress/blob/52354f3f0b7f2b6e53d6ca3578942d5940f84048/wp-includes/load.php#L917
	[2] https://github.com/WordPress/WordPress/blob/643ec358a40faba739266f11c34990c142f02d98/wp-includes/functions.php#L1057
*/

/*
* Issue was introduced in 4.6 via "HTTP API: Replace internals with Requests library"
* See https://github.com/WordPress/WordPress/blob/6fd8080e7ee7599b36d4528f72a8ced612130b8c/wp-includes/Requests/Utility/FilteredIterator.php
* 
* On October 29th, 2020, WP 5.5.2 was relased, fixing the issue: https://www.wordfence.com/blog/2020/11/unpacking-the-wordpress-5-5-2-5-5-3-security-release/
*
* More details:
* Versions in 5.x branches have been fixed, at the exception of 5.0.x
*             4.x from 4.6 are still vulnerable.
*
* 5.5.x, fixed in 5.5.2
* 5.4.x, fixed in 5.4.3
* 5.3.x, fixed in 5.3.5
* 5.2.x, fixed in 5.2.8
* 5.1.x, fixed in 5.1.7
* 5.0.x still vulnerable (latest checked 5.0.11)
* 4.9.x still vulnerable (latest checked 4.9.16)
* 4.8.x still vulnerable (latest checked 4.8.15)
* 4.7.x still vulnerable (latest checked 4.7.19)
* 4.6.x still vulnerable (latest checked 4.6.20)
*/
class Requests_Utility_FilteredIterator extends ArrayIterator {
	protected $callback;

  	public function __construct($data, $callback) {
		parent::__construct($data);
		$this->callback = $callback;
  	}

  	/*
  	public function current() {
		$value = parent::current();
		$value = call_user_func($this->callback, $value);
		return $value;
	}
	*/
}