query.php mistakenly uses is_admin() to check for admin privileges
|Reported by:||pishmishy||Owned by:||pishmishy|
|Component:||Security||Keywords:||query is_admin has-patch dev-feedback|
Description (last modified by lloydbudd)
- Create a draft post
- Log out
- Visit http://yourblog.com/index.php/wp-admin/
- is_admin() spots the wp-admin in the request and returns true
- query.php uses is_admin() to decide to return future, draft or pending posts
- Future, draft and pending posts are displayed.
This doesn't require the ' in the request string as reported on Bugtraq.
12/22 additional disclosure, with trivial, popular example: http://www.blackhatdomainer.com/how-to-know-today-what-shoemoney-is-going-to-post-tomorrow/
Change History (20)
comment:15 @markjaquith — 8 years ago
- Resolution fixed deleted
- Status changed from closed to reopened
Note: See TracTickets for help on using tickets.