BugTraq
Re: Wordpress - Broken Access Control Dec 18 2007 02:16AM
th3 r00k nospam pork gmail com
Hi all,

Apparently there is some disagreement about this issue. I am providing more information to build a greater understanding about what is happening.

This problem is entirely contained within the query.php file. At the comment header of query.php it says: "The Big Query." Yes indeed this file produces a large query. This file is very disorganized and it was difficult to go though with a fine tooth comb, but I did and i found a flaw because of it. I was looking for SQL Injection, but broken access control will get me a CVE number.

Perhaps this URL provides more information:

http://localhost/wordpress/index.php/'wp-admin/

I urge everyone to make this get request and to print the $_SERVER['REQUEST_URI'] and $_SERVER['PHP_SELF'] variables.

You will see that wp-admin/ is at the end of these variables.

I should have provided the exact point in which the flawed query is being built. I thought that my PoC was enough, my bad.

if ( is_admin() )

$where .= " OR post_status = 'future' OR post_status = 'draft' OR post_status = 'pending'";

This url: htttp://localhost/wordpress/index.php/'wp-admin/ will cause the is_admin() function to return TRUE.

function is_admin () {

global $wp_query;

return ($wp_query->is_admin || (stripos($_SERVER['REQUEST_URI'], 'wp-admin/') !== false));

}

In the future you shouldn't attack someone who is trying to help. This is a complex and irregular issue so I totally understand why it was difficult to see. In the future you shouldn't dismiss something you do not understand, instead i urge you to ask questions and learn more.

Peace

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus