[wp-hackers] PCI Compliance and Wordpress 2.9.2

Katrina Tustin Katrina at JStreetTech.com
Wed May 19 19:53:40 UTC 2010

Thanks Andrew.  Unfortunately Security Metrics says different.  Do you know where I could find documentation that would back up your statement so I could direct SM to it?

Katrina Tustin

J Street Technology, Inc.

425-869-0797 x 104


-----Original Message-----
From: wp-hackers-bounces at lists.automattic.com [mailto:wp-hackers-bounces at lists.automattic.com] On Behalf Of Andrew Nacin
Sent: Wednesday, May 19, 2010 12:53 PM
To: wp-hackers at lists.automattic.com
Subject: Re: [wp-hackers] PCI Compliance and Wordpress 2.9.2

On Wed, May 19, 2010 at 3:23 PM, Katrina Tustin <Katrina at jstreettech.com>wrote:

> I am hoping that someone can help us.  We have an e-commerce site as well

> as a WordPress blog.  We have been unsuccessful in passing PCI compliance

> due to a security issue with the blog.  This is the error that is received

> from Security Metrics.  We are running 2.9.2.  Any help would be

> appreciated.


> Synopsis : The remote web server contains a PHP application that is

> affected by an information disclosure issue. Description : The version of

> WordPress on the remote host does not properly check for administrative

> credentials in the 'is_admin()' function in 'wp-includes/query.php'. Using a

> specially-crafted URL that contains the string 'wp-admin/', an attacker may

> be able to leverage this issue to view posts for which the status is

> classified as 'future', 'draft', or 'pending', which would otherwise be

> available only to authenticated users. See also :

> http://www.securityfocus.com/archive/1/4 85160/30/0/threaded<

> http://www.securityfocus.com/archive/1/485160/30/0/threaded>

> http://trac.wordpress.org/ticket/5487 Solution: Unknown at this time. Risk

> Factor: Medium  / CVSS Base Score : 4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)

> BID : 26885 Other references : OSVDB:39518, Secunia:28130 [More]


Hi Katrina,

The code cited in the vulnerability report is more than two years old and

was changed in 2.3.2. is_admin() has nothing to do with administrative

credentials, only whether we're in the administrative area. It is set by a

constant defined in the admin.php bootstrap and no longer relies on the URL.

The warning is thus outdated for any WordPress versions released since

January 2008.


wp-hackers mailing list

wp-hackers at lists.automattic.com


More information about the wp-hackers mailing list