#5487 closed defect (bug) (fixed)
query.php mistakenly uses is_admin() to check for admin privileges
Reported by: | pishmishy | Owned by: | pishmishy |
---|---|---|---|
Milestone: | 2.3.2 | Priority: | high |
Severity: | major | Version: | 2.3.1 |
Component: | Security | Keywords: | query is_admin has-patch dev-feedback |
Focuses: | Cc: |
Description (last modified by )
- Create a draft post
- Log out
- Visit http://yourblog.com/index.php/wp-admin/
- is_admin() spots the wp-admin in the request and returns true
- query.php uses is_admin() to decide to return future, draft or pending posts
- Future, draft and pending posts are displayed.
This doesn't require the ' in the request string as reported on Bugtraq.
See http://www.securityfocus.com/archive/1/485252/30/0/threaded
12/22 additional disclosure, with trivial, popular example: http://www.blackhatdomainer.com/how-to-know-today-what-shoemoney-is-going-to-post-tomorrow/
Attachments (2)
Change History (20)
#3
@
17 years ago
- Keywords has-patch dev-feedback added
Attached patch replaces is_admin() check with current_user_can('level_10'). Perhaps we could explicitly check the user's capabilities but I wasn't sure from the documentation which capabilities we should be looking at. Instead I've just checked if the user is the administrator or not.
#4
follow-up:
↓ 11
@
17 years ago
What I did (Wordpress 2.3.1):
- Logged into wp-admin with Firefox.
- Created a new post called "DRAFT", with text "DRAFT"
- I saved it (but did not publish it)
- I opened another browser (Opera).
- I tried using the URL you had above (modified for my site) and it does not show me drafts.
- I tried adding the p=<post number> get argument, but I just get a blank page.
I cannot reproduce this problem.
Will the current_user_can() allow the author (possibly a non-admin) to view the draft post that he/she just wrote?
Ciao!
#5
@
17 years ago
We do a current_user_can() check in the block of code already. is_admin() is used to see what context the user is in. Is the user in the admin? I think we need to retain is_admin() and have it check a constant set in admin.php to determine admin context.
#6
@
17 years ago
Hmm, the current_user_can() check is just for private posts. I think we need both an is admin user and is in the admin checks.
#7
@
17 years ago
Actually, edit-pages.php and edit.php filter the results of the is_admin() query. So I think all we need is a proper is_admin() check and not any cap checks.
#8
@
17 years ago
New patch improves is_admin().
Old patch was confused over why is_admin() was used in the first place.
Thanks to Austin Matzko from wp-hackers for the idea.
#11
in reply to:
↑ 4
@
17 years ago
Replying to docwhat:
What I did (Wordpress 2.3.1):
Finally, someone posted what was missing. The unposted drafts have a date of something really old (1969 or 1999). You have to search back into the archive to find it.
Ciao!
See line 1172 of query.php for the misuse of is_admin()