phast.php used for remote fetch

  • Resolved dooh

    (@dooh)


    5 years, 1 month ago

    As I could not find any security report information, I will post this here

    A bug within phast.php allows an attacker to fetch remote urls

    Example:

    /wp-content/plugins/phastpress/phast.php?service=scripts&src=https%3A%2F%2Fconnect.facebook.net%2Fen_US%2Fall.js%23xfbml%3D1%26version%3Dv2.3&cacheMarker=219322

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author Albert Peschar

    (@kiboit)

    Hi @dooh,

    Thanks for your report.

    This is intended functionality. We use this to serve remote scripts with a longer cache duration. It will only serve certain whitelisted domains (such as https://connect.facebook.net) but not any URL.

    I do realize there is a potential XSS vulnerability if a whitelisted domain serves HTML and the browser sniffs the content type of the response. I will fix that.

    –Albert

    Plugin Author Albert Peschar

    (@kiboit)

    Hi @dooh,

    Although we use whitelists to prevent inclusion of arbitrary resources and they are served with a text/javascript or text/css MIME type which should not allow XSS attacks, I’ve added Content-Security-Policy and X-Content-Type-Options headers for additional security.

    This was added in version 1.28.

    Thanks for your report!

    –Albert

    On my domain it is served as application/json rather than text/javascript or text/css.

    Is it OK?

    Plugin Author Albert Peschar

    (@kiboit)

    Hi @iamkunaldesai,

    Yes, application/json is another possible content type for phast.php responses. So it’s OK.

    –Albert

    Plugin Author Albert Peschar

    (@kiboit)

    Also, thanks for your review, @iamkunaldesai. ??

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘phast.php used for remote fetch’ is closed to new replies.