Context Navigation

Ticket #10735: 009CVE2008-6767.patch

File 009CVE2008-6767.patch, 1.2 KB (added by Derevko, 17 years ago)
Only admin can upgrade wordpress. (CVE-2008-6767)

Author: Giuseppe Iuculano <giuseppe@iuculano.it>
Description: Only admin can upgrade wordpress. (CVE-2008-6767) (Closes: #531736)

  define( 'WP_INSTALLING', true );
 /** Load WordPress Bootstrap */
 require( '../wp-load.php' );
+if(!current_user_can('level_10'))
+        wp_safe_redirect('../wp-login.php?upgrade');
 timer_start();
 require_once( ABSPATH . 'wp-admin/includes/upgrade.php' );

  default:
         elseif  ( isset($_GET['checkemail']) && 'confirm' == $_GET['checkemail'] )      $errors->add('confirm', __('Check your e-mail for the confirmation link.'), 'message');
         elseif  ( isset($_GET['checkemail']) && 'newpass' == $_GET['checkemail'] )      $errors->add('newpass', __('Check your e-mail for your new password.'), 'message');
         elseif  ( isset($_GET['checkemail']) && 'registered' == $_GET['checkemail'] )   $errors->add('registered', __('Registration complete. Please check your e-mail.'), 'message');
+        elseif  ( isset($_GET['upgrade'])) $errors->add('upgrade', __('Upgrade is needed, please log in with an admin account.'), 'message');
         login_header(__('Log In'), '', $errors);