I would like to know if there are any security vulnerabilities in this code:
<?php
/*
Plugin Name: Dashboard Switcher
Plugin URI: http://wordpress.org/extend/plugins/dashboard-switcher/
Description: Adds a dropdown list of the sites with every site owned in a network to quickly switch between them.
Version: 0.1
Author: Ezequiel Livinsky
Author URI: http://livindev.com.ar
*/
add_action('in_admin_header', 'own_favorite_actions');
function own_favorite_actions() {
if(!is_super_admin()) return;
global $wpdb, $current_blog;
$blogs = $wpdb->get_results("SELECT domain FROM $wpdb->blogs WHERE blog_id <> $current_blog->blog_id", ARRAY_A);
$actions = array();
foreach($blogs as $row){
$url = 'http://'.$row['domain'].$_SERVER['REQUEST_URI'];
$actions[$url] = $row['domain'];
}
$first = array_keys($actions);
$first = $first[0];
echo '<div id="favorite-actions">';
echo '<div id="favorite-first"><a href="' . $first . '">' . $actions[$first] . '</a></div><div id="favorite-toggle"><br /></div>';
echo '<div id="favorite-inside">';
foreach ( $actions as $action => $label) {
echo "<div class='favorite-action'><a href='$action'>";
echo $label;
echo "</a></div>\n";
}
echo "</div></div>\n";
}
?>
Yes,
$_SERVER['REQUEST_URI']is output without any sanitization (ie. htmlspecialchars) via $action and $first so it provides an XSS (Cross site scripting) vulnerability.For example,
/index.php?foo="><script>alert("hi!");</script><"would be output as
<a href="/index.php?foo="><script>alert("hi!");</script><">label</a>which allows an attacker to give out a URL which runs javascript from your domain.This might be mitigated in practice by magic_quotes_gpc but it’s still a notable vulnerability which should be fixed.