WordPress.org

Make WordPress Core

Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#45070 closed defect (bug) (invalid)

Entire Media Library & permissions available to subscribers by accessing wp-admin as a subscbriber only.

Reported by: tamramc Owned by:
Milestone: Priority: normal
Severity: major Version: 4.9.8
Component: General Keywords: has-screenshots
Focuses: Cc:

Description

I was trying to hide the admin toolbar as I don't want users accessing the backend/Dashboard for any reason. I updated the wp-includes/admin-bar.php file to hide the toolbar. however, immediately i typed <domainname>/wp-admin while logged in as a subscriber to test, and was able to access wp-admin, which is strange because if I log in as a contributor using wp-login.php, I immediately receive "not authorized" after login.

in this case, all options were not available except for "Media" option. even "New" is in Menu bar with option to create new media file. this is wrong because if a user is replying to a post, users cannot upload media to post content, but only create link to media.

the Media list is blank (user has no media files as new user) when viewed in pane view. but user can add new media, including videos, which I didn't think would be allowed for security reasons. but in Media "List" view ALLLLLLLL media files created by admin are shown, including files not attached to any posts but unattached and the admins' names are shown, including private admin names.

this is an issue for me because of brute force login attempts. I expected that if a user is just a subscriber only "edit profile" would be available.

persons run script to get usernames, but all a person has to do is register a new account, open wp-admin and select Media and usernames will be available in list.

Attachments (3)

media-library-subscriber-2018-10-09-10.41.13PM.png (72.1 KB) - added by tamramc 3 years ago.
media library accessible to subscriber
media-library-toolbar-subscriber-2018-10-09-10.41.57PM.png (98.9 KB) - added by tamramc 3 years ago.
media library toolbar
media-list-2018-10-09-10.41.29 PM.png (296.0 KB) - added by tamramc 3 years ago.
list of all admins names/profiles available to subscriber

Download all attachments as: .zip

Change History (5)

@tamramc
3 years ago

media library accessible to subscriber

@tamramc
3 years ago

list of all admins names/profiles available to subscriber

#1 follow-up: @johnbillion
3 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

Hi @tamramc! It sounds like you've made some customisations to the core WordPress files (wp-includes/admin-bar.php). This is never a good idea because it means you can't update to future versions of WordPress without risking losing your changes. You should try to make these changes via a plugin instead. In fact, you might find there is already a plugin available on wordpress.org/plugins that addresses your needs.

Regarding the issue you're reporting, I've tested this with a brand new installation of WordPress and a user with the Subscriber level role cannot access the media library. You may have introduced some code on your site which allows this (for example by modifying or granting the upload_files user capability), or you may have a plugin or theme on your site which is enabling this.

Your best bet is to try deactivating any plugins you've installed, and try reverting the changes you've made to WordPress core files.

I'll close this ticket as this isn't an issue in core WordPress.

John

#2 in reply to: ↑ 1 @tamramc
3 years ago

Replying to johnbillion:

Hi @tamramc! It sounds like you've made some customisations to the core WordPress files (wp-includes/admin-bar.php).

actually only thing changed: if ( ! current_user_can( 'read' ) ) {
to
if ( ! current_user_can( 'manage_options' ) ) {

This is never a good idea because it means you can't update to future > > > versions of WordPress without risking losing your changes.

and yes, I know this, but would have simply changed one word "read" back to "manage_options"

You should try to make these changes via a plugin instead. In fact, you might find there is already a plugin available on wordpress.org/plugins that addresses your needs.

the irony is that a plugin is suggested to fix problem while advising to disable all plugins to fix problem. :-) however, I have a stripped down site that I always use to test first, Media availability problem doesn't exist after changing "read" to "manage_options", so if someone decides to access directory, only thing that will be shown: Site Name and Edit Profile options.

now the issue is a verified plugin is causing vulnerability. unless plugin is marked as "Compatible" and verified by WP, I don't install it. and if software isn't maintained or becomes incompatible, I remove the plugin.

it's not a big deal for me because with folder permissions, user won't be able to see anything except 403-denied/unauthorized. but for others, who knows what the results will be.

Regarding the issue you're reporting, I've tested this with a brand new installation of WordPress and a user with the Subscriber level role cannot access the media library. You may have introduced some code on your site which allows this (for example by modifying or granting the upload_files user capability), or you may have a plugin or theme on your site which is enabling this.

Your best bet is to try deactivating any plugins you've installed, and try reverting the changes you've made to WordPress core files.

again, with just latest version of WordPress, can access wp-admin directory manually, however, Media option isn't available, so changing "read" to "manage_options" actually isn't the problem.

what I will do in same stripped down environment: add the same plugins one by one, which are only a few, and see which compatible-labeled plugin exposes private information as that plugin shouldn't be marked "Compatible with WordPress" (tested).

then keep scrolling through the compatible "hide toolbar plugins", some of which are gawd awful interface options and riddled with "advertising promotions", which led me to simply change "read" to "manage_options.

thanks

I'll close this ticket as this isn't an issue in core WordPress.

John

Last edited 3 years ago by tamramc (previous) (diff)
Note: See TracTickets for help on using tickets.