Odd behavior – any security risks?

baruch60610
(@baruch60610)

18 years, 4 months ago

I found that when I have a link to my blog, e.g.:

http://www.example.com/blog/?http://some-other-site.com

anything after the question mark is accepted and will lead to the blog’s front page. In fact, it appears that any link of the form:

http://example.com/blog/?p=1234?anything-at-all

the text after the final question mark is ignored, and the link simply brings you to the page referred to by p=1234.

I find this behavior puzzling and mildly unsettling. It looks like it’s a bug that silently tries to “do the right thing” and ignore meaningless text, if the first part of the link is OK. Is that a good idea?

Second, I found several such links in my log files, where the part after the question mark pointed to another Website.

Does anyone have any insight into this, and should I be concerned? Thanks.

Viewing 3 replies - 1 through 3 (of 3 total)

Kafkaesqui
(@kafkaesqui)

18 years, 4 months ago

Why wouldn’t this behavior be a good idea? The purpose of ? in your url is to pass a query. But the query must specify something — either a defined key or key=value pairing recognized by the underlying software run on your site. Otherwise it’s useless and (typically should be) ignored by it. So this:

?http://some-other-site.com

is pretty meaningless to a WordPress site, unlike:

?p=1234

Also note with:

?p=1234?anything-at-all

the second query component: ?anything-at-all, would be ignored as it’s invalid. A normal query with one or more additional key/key=value pairs would use the & operator.

Thread Starter baruch60610
(@baruch60610)

18 years, 4 months ago

Just because I can’t think of a way to exploit this quirk, doesn’t mean someone else couldn’t do it.

How difficult would it be to give an error when the query is invalid, instead of ignoring it? And would it be worth the effort? I don’t know the answers to these questions.

In general, however, it seems that many exploits *have* been possible as a result of seemingly innocent quirks. And I am getting really bizarre “queries” involving highly specific addresses that make me wonder whether there is something other than a chance error of some sort.

Kafkaesqui
(@kafkaesqui)

18 years, 4 months ago

“Just because I can’t think of a way to exploit this quirk, doesn’t mean someone else couldn’t do it.“

Couldn’t you say that about… well, almost anything?

“How difficult would it be to give an error when the query is invalid, instead of ignoring it?“

Note you originally brought up invalid queries that are invalid not because they are broken or misused, but because WordPress will not recognize them. I can pass:

?funk=wagnalls

as a string suffixed to my site’s url. This is just a ‘get’ query waiting for something to parse it and understand it, and unless something does and can (which WordPress normally would not), it would be beyond difficult to make use of it for some sort of ‘exploit,’ or to pass some sort of error based on it.

There’s nothing wrong with being concerned over areas of security leakage like this in WordPress, especially when passing query strings and the like, but keep in mind you can only break through a back door* that exists, not one that doesn’t.

* And hopefully set off some alarms. :)

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Odd behavior – any security risks?’ is closed to new replies.

Odd behavior – any security risks?

Tags

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics