Odd behavior – any security risks?

  • I found that when I have a link to my blog, e.g.:

    https://www.example.com/blog/?https://some-other-site.com

    anything after the question mark is accepted and will lead to the blog’s front page. In fact, it appears that any link of the form:

    https://example.com/blog/?p=1234?anything-at-all

    the text after the final question mark is ignored, and the link simply brings you to the page referred to by p=1234.

    I find this behavior puzzling and mildly unsettling. It looks like it’s a bug that silently tries to “do the right thing” and ignore meaningless text, if the first part of the link is OK. Is that a good idea?

    Second, I found several such links in my log files, where the part after the question mark pointed to another Website.

    Does anyone have any insight into this, and should I be concerned? Thanks.

Viewing 3 replies - 1 through 3 (of 3 total)

  • Why wouldn’t this behavior be a good idea? The purpose of ? in your url is to pass a query. But the query must specify something — either a defined key or key=value pairing recognized by the underlying software run on your site. Otherwise it’s useless and (typically should be) ignored by it. So this:

    ?https://some-other-site.com

    is pretty meaningless to a WordPress site, unlike:

    ?p=1234

    Also note with:

    ?p=1234?anything-at-all

    the second query component: ?anything-at-all, would be ignored as it’s invalid. A normal query with one or more additional key/key=value pairs would use the & operator.

    Thread Starter baruch60610

    (@baruch60610)

    Just because I can’t think of a way to exploit this quirk, doesn’t mean someone else couldn’t do it.

    How difficult would it be to give an error when the query is invalid, instead of ignoring it? And would it be worth the effort? I don’t know the answers to these questions.

    In general, however, it seems that many exploits *have* been possible as a result of seemingly innocent quirks. And I am getting really bizarre “queries” involving highly specific addresses that make me wonder whether there is something other than a chance error of some sort.

    Just because I can’t think of a way to exploit this quirk, doesn’t mean someone else couldn’t do it.

    Couldn’t you say that about… well, almost anything?

    How difficult would it be to give an error when the query is invalid, instead of ignoring it?

    Note you originally brought up invalid queries that are invalid not because they are broken or misused, but because WordPress will not recognize them. I can pass:

    ?funk=wagnalls

    as a string suffixed to my site’s url. This is just a ‘get’ query waiting for something to parse it and understand it, and unless something does and can (which WordPress normally would not), it would be beyond difficult to make use of it for some sort of ‘exploit,’ or to pass some sort of error based on it.

    There’s nothing wrong with being concerned over areas of security leakage like this in WordPress, especially when passing query strings and the like, but keep in mind you can only break through a back door* that exists, not one that doesn’t.

    * And hopefully set off some alarms. :)

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Odd behavior – any security risks?’ is closed to new replies.

Tags