Community Support Forums

Re: S2member shortcode security HOLE?

2011-12-07T16:16:03-05:00

Thanks for the detailed very helpful response. I've added some functionality to my theme which post processes themes to de-sensitize any post with s2 code shortcode or php scripts by converting the [ and < characters to their ascii equivalents.

Code:: function post_security_check($data,$postarr){ if (!is_admin()){ /* * Change the stored post so that it appears as typed, but will not invoke the s2member shortcodes */ $i=0;$j=0;$k=0; $a=preg_replace('/\[s2/', '[s2', $data['post_content'],-1,$i); $a=preg_replace('/\<\?php/', '<?php', $a,-1,$i); $a=preg_replace('/\?\>/', '?>', $a,-1,$i); $data['post_content']=preg_replace('/\[\/s2If/', '[/s2If',$a,-1,$j); if ($i+$j+$k>0){ /* * Above logic has had to change a post so audit correction */ } }; return $data; }

Statistics: Posted by DaveWP196 — December 7th, 2011, 4:16 pm

Re: S2member shortcode security HOLE?

2011-12-02T01:40:15-05:00

Thanks for the heads up on this thread.

If a User is going to be allowed to post content ( which is not something s2Member currently supports in a standard WordPress installation ), then the site owner would need to implement some additional filters of their own against any content being published by a Member, to prevent those Shortcodes from being possible. This is something that a site owner is responsible for, because currently s2Member does not support this. WordPress Roles associated with s2Member cannot edit|publish_posts. Any Shortcode starting with [s2 would be a potential security issue in this regard, if you decide to allow your Users/Members to publish content on your site.

That being said, it should also be noted that s2Member mutates itself on a Multisite Blog Farm installation. If a site owner is running a Multisite Blog Farm installation of s2Member, i.e. with define('MULTISITE_FARM, true);, the [s2If /] Conditionals are limited/restricted to only this subset of WordPress Conditional functions. Restricting Members operating a Child Blog within a Network.

"is_user_logged_in", "is_user_not_logged_in", "user_is", "user_is_not", "user_can", "user_cannot", "current_user_is", "current_user_is_not", "current_user_can", "current_user_cannot", "is_admin", "is_blog_admin", "is_user_admin", "is_network_admin", "is_404", "is_home", "is_front_page", "is_singular", "is_single", "is_page", "is_page_template", "is_attachment", "is_feed", "is_archive", "is_search", "is_category", "is_tax", "is_tag", "has_tag", "is_author", "is_date", "is_day", "is_month", "is_time", "is_year", "is_sticky", "is_paged", "is_preview", "is_comments_popup", "in_the_loop", "comments_open", "pings_open", "has_excerpt", "has_post_thumbnail"

So although it would still be possible to peek at specific User's permissions on the current blog in this case ( we'll be sure to address this in the next major release ), there IS at least, some additional security already in place for Multisite Blog Farms to cover more important vulnerabilities.

In addition to these limitations/restrictions on what Conditional functions can be used on a Multisite Blog Farm via the [s2If /] Conditional, s2Member will also NOT allow any function arguments that contain these characters on a Multisite Blog Farm installation ( or ), thereby preventing inner function calls as the arguments to Simple Conditionals, such as [s2If is_day(give_entire_site_fubar())]. This would NOT be possible on a Multisite Blog Farm, in current versions of s2Member.

Statistics: Posted by Jason Caldwell — December 2nd, 2011, 1:40 am

S2member shortcode security HOLE?

2011-12-01T04:36:06-05:00

I'm relatively new to s2Member and I can't seem to find a way to block somebody from creating a post which calls a s2member shortcode.

i.e. What is stopping an level1 member from creating a post with the following content?

[s2Get user_field="first_name" user_id="1"/]
[s2Get user_field="last_name" user_id="1"/]
[s2Get user_field="user_email" user_id="1"/]

i.e. getting information about another user/admin even though they are not an administrator?

Is there a standard way to block this type of post being created by a non-admin user?

Statistics: Posted by DaveWP196 — December 1st, 2011, 4:36 am