[wp-hackers] BugTraq post

John Blackbourn johnbillion+wp at gmail.com
Wed Dec 19 18:18:09 GMT 2007


http://trac.wordpress.org/ticket/5487

On Dec 19, 2007 3:27 PM, James Davis <james at freecharity.org.uk> wrote:
> Bull3t wrote:
> > I can't reproduce it either - not really sure how the single quote in the
> > URL helps at all though? Also, on the BugTraq post he put 3 t's in the
> > http... So I ignored the single quote as a mistake as well. Meh, Aaron could
> > be correct; maybe he is smoking something...
>
> After his clarifying post I can reproduce this. Create a draft post. Log
> out.
>
> Visit http://yourblog.com/index.php/'wp-admin/ and the draft will be
> displayed because query.php mistakenly uses is_admin() on link 1172 to
> check if the user is an administrator.
>
> I'll open a ticket shortly after I've made myself a coffee =)
>
> James
>
> --
> http://www.freecharity.org.uk/ - Free IT services for charities
> http://www.freecharity.org.uk/wiki/ - The VCSWiki
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


More information about the wp-hackers mailing list