WordPress.org

Make WordPress Core

Opened 13 years ago

Closed 13 years ago

Last modified 13 years ago

#4422 closed defect (bug) (fixed)

Anyone can delete attachments

Reported by: xknown Owned by: rob1n
Milestone: 2.2.1 Priority: high
Severity: critical Version: 2.2
Component: Security Keywords: has-patch commit
Focuses: Cc:

Description

An unregistered user can delete attachments through xmlrpc request:

<methodCall>
  <methodName>wp.uploadFile</methodName>
  <params>
    <param><value>1</value></param>
    <param><value>1</value></param>
    <param><value>1</value></param>
	<struct>
		<member><name>name</name><value>attachement_name</value></member>
		<member><name>overwrite</name><value>1</value></member>
	</struct>
  </params>
</methodCall>

I'll submit a partial fix -- I think that an user should only delete their own uploaded files.

Attachments (3)

xmlrpc.php.patch (773 bytes) - added by xknown 13 years ago.
Move user validation before attachment deletion
4422.diff (1.4 KB) - added by rob1n 13 years ago.
xmlrpc.php-diff (1.7 KB) - added by josephscott 13 years ago.

Download all attachments as: .zip

Change History (10)

@xknown
13 years ago

Move user validation before attachment deletion

#1 @rob1n
13 years ago

  • Keywords has-patch added

Looks good to me, but I'm not an XML-RPC guru.

@rob1n
13 years ago

#2 @foolswisdom
13 years ago

  • Owner changed from anonymous to josephscott
  • Priority changed from normal to high
  • Severity changed from normal to critical

#3 @josephscott
13 years ago

My diff pushes the overwrite feature even further down, to just before the upload gets saved.

#4 @rob1n
13 years ago

  • Keywords commit added
  • Owner changed from josephscott to rob1n
  • Status changed from new to assigned

#5 @rob1n
13 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

(In [5670]) Check the user before overwriting the attachment. Props xknown and Joseph Scott. fixes #4422

#6 @rob1n
13 years ago

(In [5671]) Check the user before overwriting the attachment. Props xknown and Joseph Scott. fixes #4422

#7 @rob1n
13 years ago

  • Milestone changed from 2.2.2 to 2.2.1
Note: See TracTickets for help on using tickets.