我想知道这个代码中是否有任何安全漏洞:
<?php
/*
Plugin Name: Dashboard Switcher
Plugin URI: http://wordpress.org/extend/plugins/dashboard-switcher/
Description: Adds a dropdown list of the sites with every site owned in a network to quickly switch between them.
Version: 0.1
Author: Ezequiel Livinsky
Author URI: http://livindev.com.ar
*/
add_action('in_admin_header', 'own_favorite_actions');
function own_favorite_actions() {
if(!is_super_admin()) return;
global $wpdb, $current_blog;
$blogs = $wpdb->get_results("SELECT domain FROM $wpdb->blogs WHERE blog_id <> $current_blog->blog_id", ARRAY_A);
$actions = array();
foreach($blogs as $row){
$url = 'http://'.$row['domain'].$_SERVER['REQUEST_URI'];
$actions[$url] = $row['domain'];
}
$first = array_keys($actions);
$first = $first[0];
echo '<div id="favorite-actions">';
echo '<div id="favorite-first"><a href="' . $first . '">' . $actions[$first] . '</a></div><div id="favorite-toggle"><br /></div>';
echo '<div id="favorite-inside">';
foreach ( $actions as $action => $label) {
echo "<div class='favorite-action'><a href='$action'>";
echo $label;
echo "</a></div>'n";
}
echo "</div></div>'n";
}
?>
是的,$_SERVER['REQUEST_URI']是未经任何处理的输出(即。htmlspecialchars)通过$action和$first,所以它提供了一个XSS(跨站脚本)漏洞。
例如:/index.php?foo="><script>alert("hi!");</script><"将输出为<a href="/index.php?foo="><script>alert("hi!");</script><">label</a>,允许攻击者给出一个URL,从你的域名运行javascript。
在实践中,magic_quotes_gpc可能会缓解这个问题,但它仍然是一个值得注意的漏洞,应该修复