WordPress.org

Make WordPress Core

Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#5070 closed defect (bug) (invalid)

Unauthorized administrator registration

Reported by: Emu Owned by:
Milestone: Priority: highest omg bbq
Severity: critical Version: 2.2.3
Component: Security Keywords:
Focuses: Cc:

Description

Hello.

About a month I found in my registered users one that have admin rights. Then I removed his rights and schedule investigation of problem to "tomorrow". Today I found another co-administrator in my user list. I tried to investigate the problem, but I couldn't find the way to reproduce issue. Access log was not enough.

My blog is currently 2.2.3 version of WordPress.

I can post access log records for that user if it can help.

I think that is very dangerous, so I'll put "highest omg bbq" priority.

Regards, Emu

P.S. The problem can be in some of my installed plugins, so I'll continue investigating.
P.P.S. Sorry for my bad english. I hope you understand me.

Change History (5)

comment:1 DD327 years ago

Is this blog hosetd on a shared host?

Without some form of logs its impossible to tell what has happened(As i'm not aware of any security issues like that in 2.2.3).

re:Access logs: Look for anything that is accessing a plugin file directly(ie. /wp-content/plugins/plugin.php) or anything that has a long request string(ie something.php?blahblahblahblahblah)

comment:2 Emu7 years ago

Records in access log is:

203.223.153.105 - - [24/Sep/2007:08:07:57 +0300] "GET http://blog.mysite.net/wp-admin/post.php?action=edit HTTP/1.0" 302 0 "http://blog.mysite.net/wp-admin/post.php?action=edit&" "Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.8) Gecko/20051111 Firefox/1.5"
203.223.153.105 - - [24/Sep/2007:08:08:00 +0300] "GET http://blog.mysite.net/wp-login.php?redirect_to=%252Fwp-admin%252Fpost.php%253Faction%253Dedit HTTP/1.0" 200 1893 "http://blog.mysite.net/wp-login.php?redirect_to=%252Fwp-admin%252Fpost.php%253Faction%253Dedit" "Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.8) Gecko/20051111 Firefox/1.5"
203.223.153.105 - - [24/Sep/2007:08:08:02 +0300] "GET http://blog.mysite.net/wp-login.php?action=register HTTP/1.0" 200 1814 "http://blog.mysite.net/wp-login.php?action=register" "Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.8) Gecko/20051111 Firefox/1.5"
203.223.153.105 - - [24/Sep/2007:08:08:05 +0300] "POST http://blog.mysite.net/wp-login.php?action=register HTTP/1.0" 302 0 "http://blog.mysite.net/wp-login.php?action=register" "Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.8) Gecko/20051111 Firefox/1.5"
203.223.153.105 - - [24/Sep/2007:08:08:09 +0300] "GET http://blog.mysite.net/wp-login.php?checkemail=registered HTTP/1.0" 200 1950 "http://blog.mysite.net/wp-login.php?checkemail=registered" "Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.8) Gecko/20051111 Firefox/1.5"
203.223.153.105 - - [24/Sep/2007:08:08:11 +0300] "GET http://blog.mysite.net/wp-login.php?redirect_to=%252Fwp-admin%252Fpost.php%253Faction%253Dedit HTTP/1.0" 200 1893 "http://blog.mysite.net/wp-login.php?redirect_to=%252Fwp-admin%252Fpost.php%253Faction%253Dedit" "Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.8) Gecko/20051111 Firefox/1.5"
203.223.153.105 - - [24/Sep/2007:08:08:14 +0300] "GET http://blog.mysite.net/wp-login.php?redirect_to=%252Fwp-admin%252Fpost.php%253Faction%253Dedit HTTP/1.0" 200 1893 "http://blog.mysite.net/wp-login.php?redirect_to=%252Fwp-admin%252Fpost.php%253Faction%253Dedit" "Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.8) Gecko/20051111 Firefox/1.5"

I replace my blog with "blog.mysite.net". That's all from that IP address. Seems that like normal registration with redirects from WordPress engine but I'm sure that is not.

There is no "/wp-content/plugins/plugin.php" hits at least 22.09.2007 (I have older logs in .gz archives and could check them).

Hope that help.

Regards, Emu

comment:3 Emu7 years ago

Ups. I forgot to answer to "Is this blog hosetd on a shared host?".

Yes. My blog is hosted on shared hosting but I don't think that is a thin place. It is good administrated and secured and if a question is: Could anybody that host on same host can access my database or files - the answer is probably no.

Regards, Emu

comment:4 Nazgul7 years ago

  • Milestone 2.5 deleted
  • Resolution set to invalid
  • Status changed from new to closed

I'm afraid there's not enough info for us to do anything with it, especially because you're the only one experiencing this issue.

I'm closing as invalid for now. Feel free to re-open if you have additional information.

comment:5 JeremyVisser7 years ago

Also, there is a setting somewhere where you can set the default role for new users. From memory, it's not possible to set this to 'Administrator', but check that regardless. If you have registration open, turn it off.

Note: See TracTickets for help on using tickets.