Security patch and Redirection Error

[momosampaii]

I'm using a old version of redirection (2.7.3) it works very well.

As you know, There is a security issue about it (injection) that was fixed in 2.8

Link : https://advisories.dxw.com/advisories/ace-file-inclusion-redirection/

I try to update for another version I was seaching version 2.8 but i found version 3.2 (the most close version to the installed one in my platform) because the newest version has incompatibiliy with some others installed plugin on my platform. When i installed the version 3.2, my frontend pages and post are redirected to 404 page.

Right now i need just to fixe the vulnerability issue not to update the plugin for new version.

Please can you just tell me what i need to change in my installed version (2.7.3) version to fix just the vulnerability?

Do you think if a post the code of pass.php file form version 3.2 in version 2.7.3 it will fix the vulnerability?

Thanks in advance and a lot for your support.

Below the code of pass.php for the 2 versions :

The pass.php file in version 2.7.3

<?php

class Pass_Action extends Red_Action {
    function process_before( $code, $target ) {
        // Determine what we are passing to:  local URL, remote URL, file
        if ( substr( $target, 0, 7 ) === 'http://' || substr( $target, 0, 8 ) === 'https://' ) {
            echo @wp_remote_fopen( $target );
            die();
        }
        else if ( substr( $target, 0, 7 ) === 'file://' ) {
            $parts = explode( '?', substr( $target, 7 ) );
            if ( count( $parts ) > 1 ) {
                // Put parameters into the environment
                $args = explode( '&', $parts[1] );

                if ( count( $args ) > 0 ) {
                    foreach ( $args as $arg ) {
                        $tmp = explode( '=', $arg );
                        if ( count( $tmp ) === 1 )
                            $_GET[ $arg ] = '';
                        else
                            $_GET[ $tmp[0] ] = $tmp[1];
                    }
                }
            }

            include( $parts[0] );
            exit();
        }
        else {
            $_SERVER['REQUEST_URI'] = $target;
            if ( strpos( $target, '?' ) ) {
                $_SERVER['QUERY_STRING'] = substr( $target, strpos( $target, '?' ) + 1 );
                parse_str( $_SERVER['QUERY_STRING'], $_GET );
            }
        }

        return true;
    }
}

pass.php in version 3.2

<?php

class Pass_Action extends Red_Action {
    public function process_external( $url ) {
        echo @wp_remote_fopen( $url );
    }

    public function process_file( $url ) {
        $parts = explode( '?', substr( $url, 7 ) );

        if ( count( $parts ) > 1 ) {
            // Put parameters into the environment
            $args = explode( '&', $parts[1] );

            if ( count( $args ) > 0 ) {
                foreach ( $args as $arg ) {
                    $tmp = explode( '=', $arg );

                    if ( count( $tmp ) === 1 ) {
                        $_GET[ $arg ] = '';
                    } else {
                        $_GET[ $tmp[0] ] = $tmp[1];
                    }
                }
            }
        }

        @include $parts[0];
    }

    public function process_internal( $target ) {
        // Another URL on the server
        $_SERVER['REQUEST_URI'] = $target;

        if ( strpos( $target, '?' ) ) {
            $_SERVER['QUERY_STRING'] = substr( $target, strpos( $target, '?' ) + 1 );
            parse_str( $_SERVER['QUERY_STRING'], $_GET );
        }

        return true;
    }

    public function is_external( $target ) {
        return substr( $target, 0, 7 ) === 'http://' || substr( $target, 0, 8 ) === 'https://';
    }

    public function is_file( $target ) {
        return substr( $target, 0, 7 ) === 'file://';
    }

    public function process_before( $code, $target ) {
        // External target
        if ( $this->is_external( $target ) ) {
            $this->process_external( $target );
            exit();
        }

        // file:// targetw
        if ( $this->is_file( $target ) ) {
            if ( defined( 'REDIRECTION_SUPPORT_PASS_FILE' ) && REDIRECTION_SUPPORT_PASS_FILE ) {
                $this->process_file( $target );
                exit();
            }

            return;
        }

        return $this->process_internal( $target );
    }
}

[johngodley]

When i installed the version 3.2, my frontend pages and post are redirected to 404 page.

I don't think this is connected with the plugin and it is probably something else.

The security issue you are referring to requires an admin user. It does not allow non-admin users to do anything they can't already do.

I cannot tell what will happen if you update that file. I highly recommend using the latest version of the plugin. Unless you have untrusted admin users on your site then the vulnerability is not urgent, and you have time to upgrade properly.

[momosampaii]

Thanks a lot for your quick answer.

You mean that we need to login as an admin role (only) to do the exploit?

Is it possible to provide me version 2.8 please? to compare with my version?

Thanks again for your time.

[johngodley]

Yes, as explained on that security page the behaviour was intentional, not accidental, and requires an admin user. Future versions change how the passthrough works so the issue doesn't exist, even for admin users.

All available versions can be found here:

https://wordpress.org/plugins/redirection/advanced/

[momosampaii]

Thanks John.

I pasted the code of pass.php file from the 2.8 on my installed version 2.7.3 and it works.

Now i will deep to find the issue that return a 404 to my frontend posts.

Have a nice weekend and thanks again for your time.

[momosampaii]

Hi John,

I Need some informations please. The plugin "Redirection" version before 3.6.3 has an Cross-Site Request Forgery (CSRF) security issue (https://wpvulndb.com/vulnerabilities/9155).

Is it possible to explain me how it process please ? Do we need to be login in the platform to perform it? what user role is require?

Thanks in advance for your explanations.

Regards,

[johngodley]

Information is found on the original report you posted.

The security issue you are referring to requires an admin user.

I would highly recommend spending the time to update your site to use the latest versions of any plugins. It does not seem wise to spend so much time on old and unsupported software.

[momosampaii]

I understand what you mean about the update John. but right now I need just to know (if possible) how to perform the vulnerability (is an not logged user can do it?). Thanks again for your time.

[johngodley]

As I've said several times, the security issue you are referring to requires an admin user.

[momosampaii]

in the latest comments (today comment) : I am reffering about : https://wpvulndb.com/vulnerabilities/9155

Last week I was reffering about : https://wpvulndb.com/vulnerabilities/9091

Can you just confirm that we need to use an admin account in the 2 cases please?

Thanks.

[johngodley]

You will need to read the security reports and determine if it affects your site. Any reported security issues have since been fixed, and if you use the latest version it will include all changes.

[momosampaii]

I'm looking for the security report about this vulnerability please : https://wpvulndb.com/vulnerabilities/9091

Is it any page explain the vulnerability. I found only the changeset URL

https://plugins.trac.wordpress.org/changeset/1974375/redirection

My concern right now, is about the execution of this vulnerability, do we need admin access or not to do it if redirection plugin version is <= 3.6.3?

[johngodley]

You can follow the link on https://wpvulndb.com/vulnerabilities/9091 and it provides full information.

I'm sorry, but I don't keep track of things that were fixed several years ago, and I really don't remember the details. If you are intent on using an old version then it is your responsibility to ensure your site is safe.

Again I cannot stress how important it is to use the latest version of any plugin. If you use an older version then it is entirely at your own risk.

[momosampaii]

sorry John, on my last comment i put the wrong vulnerability

I'm looking for a report about this one please : https://wpvulndb.com/vulnerabilities/9155

Please if possible tell me if we need a an admin account to do it ?

the other (https://wpvulndb.com/vulnerabilities/9091) is OK

Thanks again and sorry for all the comments

[johngodley]

You can find the information by clicking the Redirection button on the page.

Again, I do not keep track of things that were changed several years ago - I do not remember. I cannot advise you any further.

Please upgrade.

[momosampaii]

Thanks for your time and sorry again.