PriMoThemes — now s2Member® (official notice)

This is now a very OLD forum system. It's in READ-ONLY mode.
All community interaction now occurs at WP Sharks™. See: new forums @ WP Sharks™

S2member shortcode security HOLE?

s2Member Plugin. A Membership plugin for WordPress®.

S2member shortcode security HOLE?

Postby DaveWP196 » December 1st, 2011, 4:36 am

I'm relatively new to s2Member and I can't seem to find a way to block somebody from creating a post which calls a s2member shortcode.

i.e. What is stopping an level1 member from creating a post with the following content?

[s2Get user_field="first_name" user_id="1"/]
[s2Get user_field="last_name" user_id="1"/]
[s2Get user_field="user_email" user_id="1"/]

i.e. getting information about another user/admin even though they are not an administrator?

Is there a standard way to block this type of post being created by a non-admin user?
User avatar
DaveWP196
Registered User
Registered User
 
Posts: 5
Joined: November 23, 2011

Re: S2member shortcode security HOLE?

Postby Jason Caldwell » December 2nd, 2011, 1:40 am

Thanks for the heads up on this thread.

If a User is going to be allowed to post content ( which is not something s2Member currently supports in a standard WordPress installation ), then the site owner would need to implement some additional filters of their own against any content being published by a Member, to prevent those Shortcodes from being possible. This is something that a site owner is responsible for, because currently s2Member does not support this. WordPress Roles associated with s2Member cannot edit|publish_posts. Any Shortcode starting with [s2 would be a potential security issue in this regard, if you decide to allow your Users/Members to publish content on your site.


That being said, it should also be noted that s2Member mutates itself on a Multisite Blog Farm installation. If a site owner is running a Multisite Blog Farm installation of s2Member, i.e. with define('MULTISITE_FARM, true);, the [s2If /] Conditionals are limited/restricted to only this subset of WordPress Conditional functions. Restricting Members operating a Child Blog within a Network.
"is_user_logged_in", "is_user_not_logged_in", "user_is", "user_is_not", "user_can", "user_cannot", "current_user_is", "current_user_is_not", "current_user_can", "current_user_cannot", "is_admin", "is_blog_admin", "is_user_admin", "is_network_admin", "is_404", "is_home", "is_front_page", "is_singular", "is_single", "is_page", "is_page_template", "is_attachment", "is_feed", "is_archive", "is_search", "is_category", "is_tax", "is_tag", "has_tag", "is_author", "is_date", "is_day", "is_month", "is_time", "is_year", "is_sticky", "is_paged", "is_preview", "is_comments_popup", "in_the_loop", "comments_open", "pings_open", "has_excerpt", "has_post_thumbnail"
So although it would still be possible to peek at specific User's permissions on the current blog in this case ( we'll be sure to address this in the next major release ), there IS at least, some additional security already in place for Multisite Blog Farms to cover more important vulnerabilities.

In addition to these limitations/restrictions on what Conditional functions can be used on a Multisite Blog Farm via the [s2If /] Conditional, s2Member will also NOT allow any function arguments that contain these characters on a Multisite Blog Farm installation ( or ), thereby preventing inner function calls as the arguments to Simple Conditionals, such as [s2If is_day(give_entire_site_fubar())]. This would NOT be possible on a Multisite Blog Farm, in current versions of s2Member.
~ Jason Caldwell / Lead Developer
& Zeitgeist Movie Advocate: http://www.zeitgeistmovie.com/

Is the s2Member plugin working for you? Please rate s2Member at WordPress.org.
You'll need a WordPress.org account ( comes in handy ). Then rate s2Member here Image
.
User avatar
Jason Caldwell
Lead Developer
Lead Developer
 
Posts: 4045
Joined: May 3, 2010
Location: Georgia / USA

Re: S2member shortcode security HOLE?

Postby DaveWP196 » December 7th, 2011, 4:16 pm

Thanks for the detailed very helpful response. I've added some functionality to my theme which post processes themes to de-sensitize any post with s2 code shortcode or php scripts by converting the [ and < characters to their ascii equivalents.

Code: Select all
function post_security_check($data,$postarr){
    if (!is_admin()){
        /*
         * Change the stored post so that it appears as typed, but will not invoke the s2member shortcodes
        */
        $i=0;$j=0;$k=0;
        $a=preg_replace('/\[s2/', '&#91;s2', $data['post_content'],-1,$i);
        $a=preg_replace('/\<\?php/', '&lt;&#63;php', $a,-1,$i);
        $a=preg_replace('/\?\>/', '&#63;&gt;', $a,-1,$i);
        $data['post_content']=preg_replace('/\[\/s2If/', '&#91;&#47;s2If',$a,-1,$j);
        if ($i+$j+$k>0){
            /*
             * Above logic has had to change a post so audit correction
            */
        }
    };
    return $data;
}
User avatar
DaveWP196
Registered User
Registered User
 
Posts: 5
Joined: November 23, 2011


Return to s2Member Plugin

Who is online

Users browsing this forum: Exabot [Bot] and 1 guest

cron