[wp-hackers] BugTraq post
Bull3t
bull3t at ntlworld.com
Tue Dec 18 20:10:16 GMT 2007
I can't reproduce it either - not really sure how the single quote in the
URL helps at all though? Also, on the BugTraq post he put 3 t's in the
http... So I ignored the single quote as a mistake as well. Meh, Aaron could
be correct; maybe he is smoking something...
--------------------------------------------
Bull3t
http://www.bull3t.me.uk/
> -----Original Message-----
> From: wp-hackers-bounces at lists.automattic.com [mailto:wp-hackers-
> bounces at lists.automattic.com] On Behalf Of Otto
> Sent: 18 December 2007 03:57
> To: wp-hackers at lists.automattic.com
> Subject: Re: [wp-hackers] BugTraq post
>
> He emailed me with more information on this.. I think I see what he's
> talking about, although I still can't reproduce it.
>
> Create a blank blog with default permalinks.
> Create a draft post.
>
> Go to http://example.com/wp/'wp-admin/ . The single quote there is
> intentional.
>
> The existence of the "wp-admin/" triggers is_admin() to return true.
> And this code in query.php:
>
> elseif ( !$this->is_singular ) {
> $where .= " AND (post_status = 'publish'";
>
> if ( is_admin() )
> $where .= " OR post_status = 'future' OR post_status =
'draft' OR
> post_status = 'pending'";
>
> if ( is_user_logged_in() ) {
> $where .= current_user_can( "read_private_{$post_type}s" ) ?
" OR
> post_status = 'private'" : " OR post_author = $user_ID AND post_status
> = 'private'";
> }
>
> $where .= ')';
> }
>
> Causes it to display the drafts when the user is not logged in.
>
> I think that's what he's saying. I can't get it to work on my testbed
> yet, but he insists that it does.
>
> -Otto
>
>
>
> On 12/16/07, Otto <otto at ottodestruct.com> wrote:
> > He's severely confused about what the is_admin() function does. As we
> > know, is_admin() returns true when you're looking at any of the admin
> > pages.
> >
> > He seems to think that it's supposed to tell whether the user is an
> > admin or not, which is not the case.
> >
> > Anyway, his "flaw" does not work.
> >
> > -Otto
> >
> > On 12/15/07, Aaron Brazell <emmensetech at gmail.com> wrote:
> > > Matt-
> > >
> > > I saw that earlier today and I agree... if the cookie isn't set, wp-
> > > admin will redirect to wp-login.php. And if he is able to access wp-
> > > admin (say with open registration, which is legit), what he can view
> > > is going to be subject to a cap check. Either he's smoking something
> > > or he hasn't provided all the info.
> > >
> > > My take.
> > > --
> > > Aaron Brazell
> > > Director of Technology, b5media
> > >
> > > skype: technosailor
> > > phone: 410-608-6620
> > > web: http://technosailor.com
> > >
> > > Everything contained in this email is confidential and stuff
> > >
> > > On Dec 15, 2007, at 9:25 PM, Matt Mullenweg wrote:
> > >
> > > > Is anyone able to use this to read drafts? This guy seems confused.
> > > >
> > > > http://www.securityfocus.com/archive/1/485160/30/0/threaded
> > > >
> > > > --
> > > > Matt Mullenweg
> > > > http://photomatt.net | http://wordpress.org
> > > > http://automattic.com | http://akismet.com
> > > > _______________________________________________
> > > > wp-hackers mailing list
> > > > wp-hackers at lists.automattic.com
> > > > http://lists.automattic.com/mailman/listinfo/wp-hackers
> > >
> > > _______________________________________________
> > > wp-hackers mailing list
> > > wp-hackers at lists.automattic.com
> > > http://lists.automattic.com/mailman/listinfo/wp-hackers
> > >
> >
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.5.503 / Virus Database: 269.17.4/1188 - Release Date:
17/12/2007
> 14:13
>
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.503 / Virus Database: 269.17.4/1188 - Release Date: 17/12/2007
14:13
More information about the wp-hackers
mailing list