Opened 12 years ago
Closed 12 years ago
#23004 closed defect (bug) (invalid)
Editor CSRF vulnerabilities discovered
Reported by: | drssay | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 3.5 |
Component: | Security | Keywords: | |
Focuses: | Cc: |
Description
Reproduce
- Login as a user with writer(or editor) privileges. -> example) user name "test", user id = 2
- Input syntax visual editor below.
<img src="http://localhost/wp-admin/users.php?s=&_wponce=7258002722&_wp_http_referer=%2Fwp-admin%2Fusers.php%3Fupdate%3Dpromote&action=-1&new_role=administrator&changeit=%EB%B3%80%EA%B2%BD&paged=1&users%5B%5D=2&action2=-1" alt="" />
Parameters passed to the user number users%5B%5D=2
- Login as a user with administrator privileges. -> example) username "admin", user id 1
- user "admin" view post written in step 2.
- user "admin" can check the xbox image
- user "test" to gain administrator privileges
Attachments will be added
Change History (3)
Note: See
TracTickets for help on using
tickets.
Where did you get the value "7258002722" for the
_wpnonce
parameter from?Copy/paste from a session when you where logged in as admin? That doesn't count then.
And: Next time please do not report security vulnerabilities here, but by following the instructions at http://codex.wordpress.org/FAQ_Security