Project: Wordpress Plugin Jetpack by WordPress.com 6.6.1

Vulnerability: #9217792 (2018-10-30 09:00:37)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink PHP::echo
Risk _POST
/jetpack/modules/protect/blocked-login-page.php:233 (show/hide source)
213  	}
214  
215  	public function render_blocked_login_message() {
216  		$this->protect_die( $this->get_html_blocked_login_message() );
217  	}
218  
219  	function process_recovery_email() {
220  		$sent = $this->send_recovery_email();
221  		$show_recovery_form = true;
222  		if ( is_wp_error( $sent ) ) {
223  			if ( 'email_already_sent' === $sent->get_error_code() ) {
224  				$show_recovery_form = false;
225  			}
226  			$this->protect_die( $sent,null,true, $show_recovery_form );
227  		} else {
228  			$this->render_recovery_success();
229  		}
230  	}
231  
232  	function send_recovery_email() {
233 $email = isset( $_POST['email'] ) ? $_POST['email'] : '';
234 if ( sanitize_email( $email ) !== $email || ! is_email( $email ) ) { 235 return new WP_Error( 'invalid_email', __( "Oops, looks like that's not the right email address. Please try again!", 'jetpack' ) );
Threat level 2

Callstack:

Jetpack_Protect_Blocked_Login_Page::display_page /jetpack/modules/protect/blocked-login-page.php:587 (show/hide source)
567  					<path fill="#C7E9F5" d="M55.2,25.6l-0.1,9.8L55,57l-0.1,21.6c0,0.2,0.2,0.4,0.4,0.4c0.2,0,0.4-0.2,0.4-0.4L56.6,57l0.8-21.6 c0.1-3.3,0.2-6.5,0.3-9.8H55.2z"/>
568  					<path fill="#C7E9F5" d="M203.1,25.6l0.1,18.1c0.2,28.8,0.4,57.6,1.2,86.3c0,0.4,0.4,0.8,0.8,0.8c0.4,0,0.8-0.3,0.8-0.8 c0.8-28.8,1-57.6,1.2-86.3l0.1-18.1H203.1z"/>
569  					<path fill="#7FD3F2" d="M55.3,25.6v-8.2v-6.8c0-5.9,4-10.7,9-10.7h134c5,0,9,4.8,9,10.7v14.9H55.3z"/>
570  					<path fill="#005083" d="M210.7,25.6c-13.3,1.1-26.7,1-40,1l-40,0.2l-40-0.2c-13.3-0.1-26.7,0-40-1V25c13.3-1.1,26.7-1,40-1l40-0.2 l40,0.2c13.3,0.1,26.7,0,40,1V25.6z"/>
571  					<polygon fill="#C7E9F5" points="168.7,95.6 117.7,95.6 117.7,44.6 	"/>
572  					<path fill="#C8D7E2" d="M191.5,56.5c0,11-8.9,19.9-19.9,19.9c-11,0-19.9-8.9-19.9-19.9c0-11,8.9-19.9,19.9-19.9 C182.6,36.6,191.5,45.5,191.5,56.5"/>
573  					<path fill="#FFFFFF" d="M213.2,95.5c-3.3-5.1-3.2-16.7-3.2-28.4h-32.3c0,0-5.2,25.5,4.6,33c7.5-0.1,29.9-0.6,29.9-0.6"/>
574  					<path fill="#C8D7E2" d="M213.5,95.3l-0.1-0.1l-0.3-0.5c-0.2-0.4-0.3-0.7-0.5-1.1c-0.3-0.8-0.5-1.6-0.7-2.4c-0.1-0.5-0.2-1.1-0.3-1.6 c-0.4,0-0.8,0-1.2,0c0.5,2.1,1.1,4.3,2.4,6.1l0.2,0.2c0.2,0,0.4-0.1,0.5-0.3C213.6,95.5,213.6,95.4,213.5,95.3L213.5,95.3z"/>
575  					<path fill="#C8D7E2" d="M212.5,98.6c-0.1,0-0.2,0-0.3,0l-0.1,0H212l-0.3,0l-0.6,0l-1.3,0l-2.5,0l-5,0l-19.5,0.2 c-1.9-1.7-3.1-4.1-3.8-6.5c-0.8-2.6-1.1-5.4-1.2-8.2c-0.2-5.2,0.3-10.4,1.1-15.6l5.7-0.1c0-0.9,0-1.8,0-2.6l-4.4,0l-2.5,0 c-0.4,0-0.8,0.2-1,0.5c-0.1,0.2-0.2,0.3-0.3,0.5l-0.1,0.3l-0.2,1.2c-0.3,1.7-0.5,3.3-0.7,5c-0.3,3.3-0.5,6.7-0.4,10.1 c0.1,3.4,0.5,6.7,1.5,10c0.5,1.6,1.2,3.2,2.2,4.7c0.5,0.7,1,1.4,1.7,2c0.3,0.3,0.6,0.6,1,0.9l0.1,0.1c0.1,0,0.2,0.1,0.3,0.2 c0.2,0.1,0.5,0.1,0.6,0.1l0.6,0l20-0.6l5-0.2l2.5-0.1l1.2,0l0.3,0l0.2,0c0,0,0.3,0,0.4-0.1c0.3-0.2,0.5-0.5,0.5-0.9 C213.1,99.1,212.9,98.7,212.5,98.6z"/>
576  					<path fill="#FFFFFF" d="M223.1,84.8c-3.3-5.1-4.8-16.7-4.8-28.4h-32.3c0,0-3.5,25.5,6.3,33c7.5-0.1,29.9-0.6,29.9-0.6"/>
577  					<path fill="#C8D7E2" d="M222.9,84.9c-1.3-2.1-2.2-4.4-2.8-6.7c-0.6-2.4-1.1-4.8-1.5-7.2c-0.7-4.8-1-9.1-1-13.9l0,0l-31,0.1l0,0 c-0.4,2.8-0.5,5.1-0.5,7.9c-0.1,2.9,0,5.7,0.3,8.6c0.3,2.8,0.8,5.7,1.7,8.3c0.9,2.6,2.3,5.2,4.5,6.9l-0.4-0.1l14.9-0.2 c5-0.1,10-0.1,14.9-0.1c0.1,0,0.3,0.1,0.3,0.3c0,0.1-0.1,0.3-0.2,0.3c-5,0.2-10,0.4-14.9,0.5l-14.9,0.4c-0.1,0-0.3,0-0.4-0.1l0,0 c-2.5-1.9-3.9-4.7-5-7.4c-1-2.8-1.5-5.7-1.9-8.6c-0.3-2.9-0.4-5.8-0.4-8.8c0.1-2.9,0.2-5.8,0.6-8.8c0-0.4,0.4-0.6,0.7-0.6h0 l32.3,0.1h0c0.3,0,0.6,0.3,0.6,0.6v0c0,4.8,0.2,9.6,0.7,14.4c0.3,2.4,0.6,4.8,1.2,7.1c0.5,2.3,1.2,4.7,2.4,6.8c0,0.1,0,0.1,0,0.2 C223.1,85,223,85,222.9,84.9"/>
578  					<path fill="#C8D7E2" d="M192.1,67.1c1.6-0.9,3.4-1.2,5.1-1.3c1.7-0.2,3.5-0.2,5.2-0.2c3.5,0.1,6.9,0.2,10.3,1c0.1,0,0.2,0.2,0.2,0.3 c0,0.1-0.1,0.2-0.2,0.2c-3.4,0.2-6.9,0-10.3,0c-1.7,0-3.4,0-5.1,0c-1.7,0-3.4,0.1-5.1,0.3l0,0c-0.1,0-0.1,0-0.1-0.1 C192,67.2,192.1,67.1,192.1,67.1"/>
579  					<path fill="#C8D7E2" d="M194.1,74c1.4,0,2.7,0,4.1,0c1.4,0,2.7,0,4.1,0c2.7,0,5.4-0.1,8.2-0.2c0.1,0,0.3,0.1,0.3,0.3 c0,0.1-0.1,0.2-0.2,0.3c-1.3,0.5-2.7,0.7-4.1,0.9c-1.4,0.2-2.8,0.2-4.2,0.3c-1.4,0-2.8,0-4.2-0.2c-1.4-0.2-2.8-0.4-4.1-1.1 c-0.1,0-0.1-0.1,0-0.2C193.9,74.1,194,74,194.1,74L194.1,74z"/>
580  					<path fill="#86A6BD" d="M40.2,88.6c-0.5,0-0.8-0.4-0.9-0.9l-0.1-8.2c0-0.7,0-1.4,0-2.1c0.1-0.7,0.2-1.5,0.4-2.2c0.4-1.4,1-2.8,1.9-4 c1.7-2.5,4.3-4.3,7.1-5.1c0.7-0.2,1.5-0.3,2.2-0.5c0.7-0.1,1.5-0.1,2.2-0.1c1.3,0,2.9,0,4.4,0.4c2.9,0.7,5.6,2.5,7.4,4.9 c0.9,1.2,1.6,2.6,2.1,4c0.5,1.4,0.6,3,0.6,4.4l0,16.4c0,0.7-0.6,1.3-1.3,1.3l-6.7,0c-0.7,0-1.3-0.6-1.3-1.3v0l0-10.8l0-5.4 c0-1.4-0.7-2.8-1.8-3.5c-0.6-0.4-1.3-0.6-2-0.7c-0.7,0-1.9,0-2.5,0c-1.4,0.1-2.7,1-3.3,2.3c-0.3,0.7-0.4,1.3-0.4,2.1l0,2.7 l-0.1,5.4l0,0c0,0.5-0.4,0.9-1,0.9"/>
581  					<path fill="#FFFFFF" d="M41.1,86.9l0.1-7.3c-0.1-2.6,0.7-5,2.1-7.1c1.4-2,3.6-3.5,5.9-4.1c0.6-0.2,1.2-0.3,1.8-0.3 c0.6,0,1.2-0.1,1.9,0c1.4,0,2.5,0,3.7,0.4c2.4,0.6,4.5,2,5.9,4c0.7,1,1.3,2.1,1.6,3.2c0.4,1.2,0.5,2.3,0.5,3.7l0,15.1l0,0l-4.2,0 l0-9.5l0-5.4c0-2.2-1.2-4.4-3-5.5c-0.9-0.6-2-0.9-3.1-1c-1.1,0-1.7,0-2.9,0c-2.2,0.2-4.2,1.7-5.1,3.6c-0.5,0.9-0.7,2.1-0.6,3.1 l0,2.7l0.1,4.4l0,0L41.1,86.9L41.1,86.9"/>
582  					<path fill="#86A6BD" d="M36.3,133c-1.9,0-3.8-1.1-4.8-2.8c-0.5-0.8-0.7-1.8-0.7-2.8l0-2.4l0-9.6l-0.1-9.6l0-4.8c0-0.7,0-1.8,0.3-2.8 c0.3-1,0.9-1.8,1.7-2.5c0.8-0.6,1.7-1.1,2.7-1.3c1.1-0.2,1.8-0.1,2.6-0.1l4.8,0l9.6-0.1l19.2,0c2.1,0,4.1,1.2,5.1,3 c0.5,0.9,0.8,2,0.8,3l0,2.4l0,9.6l-0.1,9.6l0,4.8c0,0.7,0,1.8-0.4,2.8c-0.3,0.9-1,1.8-1.7,2.4c-0.8,0.6-1.7,1.1-2.7,1.2 c-1.1,0.1-1.8,0-2.6,0.1l-4.8,0l-9.6-0.1L36.3,133z"/>
583  					<path fill="#FFFFFF" d="M74.8,112.3l-0.1-9.6l0-2.4c0-0.6-0.1-1.1-0.4-1.6c-0.6-1-1.7-1.6-2.8-1.6l-19.2,0L42.7,97l-4.8,0 c-0.8,0-1.7,0-2.2,0c-0.6,0.1-1.1,0.3-1.6,0.7c-0.5,0.4-0.8,0.9-1,1.4c-0.2,0.6-0.2,1.1-0.2,2l0,4.8l-0.1,9.6l0,9.6l0,2.4 c0,0.6,0.2,1.3,0.5,1.8c0.6,1.1,1.9,1.8,3.1,1.8l19.2-0.1l9.6-0.1l4.8,0c0.8,0,1.7,0,2.2-0.1c0.6-0.1,1.2-0.4,1.6-0.8 c0.5-0.4,0.8-0.9,1-1.5c0.2-0.6,0.2-1.1,0.2-2l0-4.8L74.8,112.3z"/>
584  					<path fill="#86A6BD" d="M48.1,121.4l2.9-6.2c0.3-0.6,0.2-1.3-0.3-1.8c-1-1-1.5-2.5-1.2-4c0.3-1.7,1.7-3.1,3.4-3.4 c2.9-0.6,5.4,1.6,5.4,4.4c0,1.2-0.5,2.3-1.3,3.1c-0.5,0.5-0.6,1.2-0.3,1.8l2.9,6.2c0.1,0.2-0.1,0.5-0.3,0.5H48.4 C48.1,121.9,48,121.6,48.1,121.4"/>
585  				</svg>
586  
587 <?php echo $message; ?>
588 <?php if ( $recovery_form ) { 589 echo $this->get_html_recovery_form();
Jetpack_Protect_Blocked_Login_Page::protect_die /jetpack/modules/protect/blocked-login-page.php:284 (show/hide source)
264  			return new WP_Error( 'email_send_error', __( 'Oops, we were unable to send a recovery email. Try again.', 'jetpack' ) );
265  		}
266  
267  		return true;
268  	}
269  
270  	function protect_die( $content, $title = null, $back_link = false, $recovery_form = false ) {
271  		if ( empty( $title ) ) {
272  			$title = __( 'Jetpack has locked your site\'s login page.', 'jetpack' );
273  		}
274  		if ( is_wp_error( $content ) ) {
275  			$svg = '<svg class="gridicon gridicons-notice" height="24" width="24" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><g><path d="M12 2C6.477 2 2 6.477 2 12s4.477 10 10 10 10-4.477 10-10S17.523 2 12 2zm1 15h-2v-2h2v2zm0-4h-2l-.5-6h3l-.5 6z"/></g></svg>';
276  			$content = '<span class="error"> '. $svg . $content->get_error_message() . '</span>';
277  		}
278  		$content =  '<p>'. $content .'</p>';
279  
280  		// If for some reason the login pop up box show up in the wp-admin.
281  		if ( isset( $_GET['interim-login'] ) ) {
282  			$content = "<style>html{ background-color: #fff; } #error-message { margin:0 auto; padding: 1em; box-shadow: none; } </style>" . $content;
283  		}
284 $this->display_page( $title, $content, $back_link, $recovery_form );
285 286 }
Jetpack_Protect_Blocked_Login_Page::render_recovery_success /jetpack/modules/protect/blocked-login-page.php:294 (show/hide source)
274  		if ( is_wp_error( $content ) ) {
275  			$svg = '<svg class="gridicon gridicons-notice" height="24" width="24" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><g><path d="M12 2C6.477 2 2 6.477 2 12s4.477 10 10 10 10-4.477 10-10S17.523 2 12 2zm1 15h-2v-2h2v2zm0-4h-2l-.5-6h3l-.5 6z"/></g></svg>';
276  			$content = '<span class="error"> '. $svg . $content->get_error_message() . '</span>';
277  		}
278  		$content =  '<p>'. $content .'</p>';
279  
280  		// If for some reason the login pop up box show up in the wp-admin.
281  		if ( isset( $_GET['interim-login'] ) ) {
282  			$content = "<style>html{ background-color: #fff; } #error-message { margin:0 auto; padding: 1em; box-shadow: none; } </style>" . $content;
283  		}
284  		$this->display_page( $title, $content, $back_link, $recovery_form );
285  
286  	}
287  
288  	function render_recovery_form() {
289  		$content = $this->get_html_blocked_login_message();
290  		$this->protect_die( $content, null, null, true );
291  	}
292  
293  	function render_recovery_success() {
294 $this->protect_die( sprintf( __( 'Recovery instructions were sent to %s. Check your inbox!', 'jetpack' ), $this->email_address ) );
295 } 296
Jetpack_Protect_Blocked_Login_Page::process_recovery_email /jetpack/modules/protect/blocked-login-page.php:228 (show/hide source)
208  		if ( isset( $_GET['loggedout'] ) && 'true' === $_GET['loggedout'] ) {
209  			$this->protect_die( __( 'You successfully logged out.', 'jetpack' ) );
210  		}
211  
212  		$this->render_recovery_form();
213  	}
214  
215  	public function render_blocked_login_message() {
216  		$this->protect_die( $this->get_html_blocked_login_message() );
217  	}
218  
219  	function process_recovery_email() {
220  		$sent = $this->send_recovery_email();
221  		$show_recovery_form = true;
222  		if ( is_wp_error( $sent ) ) {
223  			if ( 'email_already_sent' === $sent->get_error_code() ) {
224  				$show_recovery_form = false;
225  			}
226  			$this->protect_die( $sent,null,true, $show_recovery_form );
227  		} else {
228 $this->render_recovery_success();
229 } 230 }
Jetpack_Protect_Blocked_Login_Page::render_and_die /jetpack/modules/protect/blocked-login-page.php:203 (show/hide source)
183  
184  	public function render_and_die() {
185  		if ( ! $this->can_send_recovery_emails ) {
186  			$this->render_blocked_login_message();
187  
188  			return;
189  		}
190  
191  		if ( isset( $_GET['validate_jetpack_protect_recovery'] ) && $_GET['user_id'] ) {
192  			$error = new WP_Error( 'invalid_token', __( "Oops, we couldn't validate the recovery token.", 'jetpack' ) );
193  			$this->protect_die( $error );
194  
195  			return;
196  		}
197  
198  		if (
199  			isset( $_GET['jetpack-protect-recovery'] ) &&
200  			isset( $_POST['_wpnonce'] ) &&
201  			wp_verify_nonce( $_POST['_wpnonce'], 'bypass-protect' )
202  		) {
203 $this->process_recovery_email();
204 205 return;
Jetpack_Protect_Module::kill_login /jetpack/modules/protect.php:609 (show/hide source)
589  		 * @param string $ip IP flagged by Protect.
590  		 */
591  		do_action( 'jpp_kill_login', $ip );
592  
593  		if( defined( 'XMLRPC_REQUEST' ) && XMLRPC_REQUEST ) {
594  			$die_string = sprintf( __( 'Your IP (%1$s) has been flagged for potential security violations.', 'jetpack' ), str_replace( 'http://', '', esc_url( 'http://' . $ip ) ) );
595  			wp_die(
596  				$die_string,
597  				__( 'Login Blocked by Jetpack', 'jetpack' ),
598  				array ( 'response' => 403 )
599  			);
600  		}
601  
602  		require_once dirname( __FILE__ ) . '/protect/blocked-login-page.php';
603  		$blocked_login_page = Jetpack_Protect_Blocked_Login_Page::instance( $ip );
604  
605  		if ( $blocked_login_page->is_blocked_user_valid() ) {
606  			return;
607  		}
608  
609 $blocked_login_page->render_and_die();
610 } 611
Jetpack_Protect_Module::block_with_math /jetpack/modules/protect.php:558 (show/hide source)
538  		 *
539  		 * @module protect
540  		 *
541  		 * @since 3.6.0
542  		 *
543  		 * @param bool Whether to allow math for blocked users or not.
544  		 */
545  
546  		$this->block_login_with_math = 1;
547  		/**
548  		 * Allow Math fallback for blocked IPs.
549  		 *
550  		 * @module protect
551  		 *
552  		 * @since 3.6.0
553  		 *
554  		 * @param bool true Should we fallback to the Math questions when an IP is blocked. Default to true.
555  		 */
556  		$allow_math_fallback_on_fail = apply_filters( 'jpp_use_captcha_when_blocked', true );
557  		if ( ! $allow_math_fallback_on_fail  ) {
558 $this->kill_login();
559 } 560 include_once dirname( __FILE__ ) . '/protect/math-fallback.php';
Jetpack_Protect_Module::check_login_ability /jetpack/modules/protect.php:464 (show/hide source)
444          }
445  
446  		$status = $this->get_cached_status();
447  
448  		if ( empty( $status ) ) {
449  			// If we've reached this point, this means that the IP isn't cached.
450  			// Now we check with the Protect API to see if we should allow login
451  			$response = $this->protect_call( $action = 'check_ip' );
452  
453  			if ( isset( $response['math'] ) && ! function_exists( 'brute_math_authenticate' ) ) {
454  				include_once dirname( __FILE__ ) . '/protect/math-fallback.php';
455  				new Jetpack_Protect_Math_Authenticate;
456  
457  				return false;
458  			}
459  
460  			$status = $response['status'];
461  		}
462  
463  		if ( 'blocked' == $status ) {
464 $this->block_with_math();
465 } 466
@INLINE::/jetpack/modules/protect.php /jetpack/modules/protect.php:916 (show/hide source)
896  		$domain = $uridata['host'];
897  
898  		// If we still don't have the site_url, get it
899  		if ( ! $domain ) {
900  			$uri     = get_site_url( 1 );
901  			$uridata = parse_url( $uri );
902  			$domain  = $uridata['host'];
903  		}
904  
905  		$this->local_host = $domain;
906  
907  		return $this->local_host;
908  	}
909  
910  }
911  
912  $jetpack_protect = Jetpack_Protect_Module::instance();
913  
914  global $pagenow;
915  if ( isset( $pagenow ) && 'wp-login.php' == $pagenow ) {
916 $jetpack_protect->check_login_ability();
917 }