Re: Wordpress - Broken Access Control
--bg08WKrSYDhXBjb5
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On 2007-12-16(Sun) 10:07:29 -0000, otto@ottodestruct.com wrote:
> The is_admin() function is not supposed to tell whether a user is an admi=
nistrator or not, it tells whether the user is looking at one of the admini=
stration pages. As such, this function does exactly what it is supposed to =
do.
>=20
> As for the rest, there is no flaw. To view a draft, the user must authent=
icate and have the correct capability set. There is no way to view drafts w=
ithout being logged in and having that capability set on the user's role le=
vel.
>=20
> This "vulnerability" is non-existent.
Here I confirm the validity of the vulnerability:
Machine: Windows 2000 SP4, Apache 2.2.4, MySQL 5.0.45
Wordpress version tested: 2.2.0, 2.2.3, 2.3.1
Everytime the URL http://localhost/wordpress/index.php/wp-admin/ is
used, and user is NOT logged in. In each wordpress version draft
posts are indeed shown.
And according to wordpress bug report, a patch is applied on
19th to address the problem.
Abel
--=20
Abel Cheung (GPG Key: 0xC67186FF)
Key fingerprint: 671C C7AE EFB5 110C D6D1 41EE 4152 E1F1 C671 86FF
--------------------------------------------------------------------
* My blog - http://me.abelcheung.org/
* Opensource Application Knowledge Assoc. - http://oaka.org/
--bg08WKrSYDhXBjb5
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHaY0cQVLh8cZxhv8RAta2AJ9tQSJK+ddM0WEfCRLlnaI8/3Hu0ACg7PNx
f0aY7p0SsM+Sm5L4CBVWZSw=
=FFYX
-----END PGP SIGNATURE-----
--bg08WKrSYDhXBjb5--
討論串 (同標題文章)
完整討論串 (本文為第 4 之 5 篇):