lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: 18 Dec 2007 02:16:01 -0000
Subject: Re: Wordpress - Broken Access Control

Hi all,

Apparently there is some disagreement about this issue. I am providing more information to build a greater understanding about what is happening. 

This problem is entirely contained within the query.php file.  At the comment header of query.php it says: "The Big Query."  Yes indeed this file produces a large query.   This file is very disorganized and it was difficult to go though with a fine tooth comb,  but I did and i found a flaw because of it.   I was looking for SQL Injection,  but broken access control will get me a CVE number.

Perhaps this URL provides more information:
I urge everyone to make this get request and to print the $_SERVER['REQUEST_URI'] and $_SERVER['PHP_SELF']  variables.
You will see that wp-admin/ is at the end of these variables.

I should have provided the exact point in which the flawed query is being built.  I thought that my PoC was enough, my bad.
            if ( is_admin() )
                $where .= " OR post_status = 'future' OR post_status = 'draft' OR post_status = 'pending'";

This url:   htttp://localhost/wordpress/index.php/'wp-admin/ will cause the is_admin() function to return TRUE.
function is_admin () {
    global $wp_query;

    return ($wp_query->is_admin || (stripos($_SERVER['REQUEST_URI'], 'wp-admin/') !== false));

In the future you shouldn't attack someone who is trying to help.  This is a complex and irregular issue so I totally understand why it was difficult to see.   In the future you shouldn't dismiss something you do not understand,  instead i urge you to ask questions and learn more.  


Powered by blists - more mailing lists