Vulnerability in Sandbox fixed

Thanks to WordPress user anoncobard, a cross-site scripting vulnerability in prior Sandbox versions has been fixed. I ask all Sandbox users to download Sandbox 1.6.1 and upgrade.

In the Sandbox functions.php, the pagination variable in the sandbox_body_class() passed an unsanitized variable that could be exploited using XSS.

See line 128 in the file:

if ( ( ( $page = $wp_query->get('paged') ) || ( $page = $wp_query->get('page') ) ) && $page > 1 ) {

The variable $page is never validated before it is passed to the function and then to the page. By simply adding $page = intval($page); (thanks to Andy), we make sure what is passed is only a number (see the diff of the changes).

This has also been fixed for the Sandbox theme for WordPress.com accounts. Please note that there have been no reports the Sandbox theme being exploited, so we are glad that we were able to correct this weakness before it was announced.

Now get back to playing in your Sandbox.

This entry was written by Scott, posted on June 19, 2009 at 9:27 pm, filed under Development and tagged , , , , , . Bookmark the permalink. Follow any comments here with the RSS feed for this post. Both comments and trackbacks are currently closed.

6 Comments

  1. Jiang
    Posted June 20, 2009 at 6:42 am | Permalink

    Would like to upgrade to Compatible WordPress 2.8, Thanks!

  2. EJ
    Posted June 23, 2009 at 1:56 pm | Permalink

    I too would welcome a new Sandbox, primed for 2.8. By the way, keep up the awesome work– I’ve been using Sandbox for years. Thanks!

  3. Matt
    Posted July 3, 2009 at 6:26 pm | Permalink

    Just curious if you are planning to start actively developing Sandbox again. I’ve been considering taking the current code base and extending it, but I’d prefer to just contribute instead of starting another project. Guess I’d just need to know where you are planning to go with it. I know the domain was supposed to be getting sold, etc at one point but I haven’t heard anything about it in quite awhile.

    Either way, thanks for the update.

  4. Dave
    Posted July 8, 2009 at 10:45 pm | Permalink

    If possible, can you confirm whether this is the only difference between 1.6 and 1.6.1?

    Many thanks for a great framework,
    Dave

  5. Scott
    Posted July 8, 2009 at 10:54 pm | Permalink

    Yep, Dave, the only change is the one indicated in the diff above.

  6. Dave
    Posted July 9, 2009 at 5:21 am | Permalink

    Beautiful, thanks!

2 Trackbacks

  1. By Is Sandbox dead? - Thoughts on WordPress on August 27, 2009 at 2:05 pm

    [...] So I went back and took a look at the PlainTxt blog and what do you know?  A post!  A minor security update was added to the Sandbox theme back in July.  Was development active again?  Poking around it appears that no, not [...]

  2. By www.michaelwalsh.org » Is Sandbox dead? on October 22, 2009 at 10:38 am

    [...] theme?).  So I went back and took a look at the PlainTxt blog and what do you know?  A post!  A minor security update was added to the Sandbox theme back in July.  Was development active again?  Poking around it appears that no, not really.  [...]