- A+
所属分类:Other
wordpress /wp-includes/http.php文件中的wp_http_validate_url函数对输入IP验证不当,导致黑客可构造类似于012.10.10.10这样的畸形IP绕过验证,进行SSRF。
修复方法:(http.php为修复后的)
|
0 1 2 3 4 5 6 7 8 9 10 11 12 13 |
$ diff http.php.2018-07-23 http.php 533c533 < $same_host = strtolower( $parsed_home['host'] ) === strtolower( $parsed_url['host'] ); --- > if ( isset( $parsed_home['host'] ) ) { $same_host = ( strtolower( $parsed_home['host'] ) === strtolower( $parsed_url['host'] ) || 'localhost' === strtolower( $parsed_url['host'] ) ); } else { $same_host = false; } ; 549c549 < if ( 127 === $parts[0] || 10 === $parts[0] || 0 === $parts[0] --- > if ( 127 === $parts[0] || 10 === $parts[0] || 0 === $parts[0] || 0 === $parts[0] #if ( preg_match( '#^(([1-9]?\d|1\d\d|25[0-5]|2[0-4]\d)\.){3}([1-9]?\d|1\d\d|25[0-5]|2[0-4]\d)$#', $host ) ) { if ( preg_match('#^(([1-9]?\d|1\d\d|25[0-5]|2[0-4]\d|0+\d+)\.){3}([1-9]?\d|1\d\d|25[0-5]|2[0-4]\d)$#', $host) ) { $ip = $host; } |
|
0 1 2 3 4 5 6 7 8 |
# diff http.php http.php.bk 533c533 < if ( isset( $parsed_home['host'] ) ) { $same_host = ( strtolower( $parsed_home['host'] ) === strtolower( $parsed_url['host'] ) || 'localhost' === strtolower( $parsed_url['host'] ) ); } else { $same_host = false; } ; --- > $same_host = strtolower( $parsed_home['host'] ) === strtolower( $parsed_url['host'] ); 550c550 < if ( 127 === $parts[0] || 10 === $parts[0] || 0 === $parts[0] || 0 === $parts[0] --- > if ( 127 === $parts[0] || 10 === $parts[0] || 0 === $parts[0] |
