[wp-trac] [WordPress Trac] #10310: add_menu_page Security Bug

Tue Jun 30 16:32:34 GMT 2009

#10310: add_menu_page Security Bug
----------------------------------+-----------------------------------------
 Reporter:  shazahm1@…            |       Owner:  ryan      
     Type:  defect (bug)          |      Status:  new       
 Priority:  normal                |   Milestone:  Unassigned
Component:  Menus                 |     Version:  2.8       
 Severity:  major                 |    Keywords:            
----------------------------------+-----------------------------------------
 I think there is a security issue with the add_menu_page() function but
 I'm a noob and might be doing something wrong but I was able to duplicate
 it with the sample code from the codex.

 {{{
 <?php
 /*
 Plugin Name: Menu Test
 Plugin URI: http://wordpress.org
 Description: Menu Test
 Author: Nobody
 Author URI: http://example.com
 */

 // Hook for adding admin menus
 add_action('admin_menu', 'mt_add_pages');

 // action function for above hook
 function mt_add_pages() {
     // Add a new submenu under Options:
     add_options_page('Test Options', 'Test Options', 8, 'testoptions',
 'mt_options_page');

     // Add a new submenu under Manage:
     add_management_page('Test Manage', 'Test Manage', 8, 'testmanage',
 'mt_manage_page');

     // Add a new top-level menu (ill-advised):
     add_menu_page('Test Toplevel', 'Test Toplevel', 8, __FILE__,
 'mt_toplevel_page');

     // Add a submenu to the custom top-level menu:
     add_submenu_page(__FILE__, 'Test Sublevel', 'Test Sublevel', 8, 'sub-
 page', 'mt_sublevel_page');

     // Add a second submenu to the custom top-level menu:
     add_submenu_page(__FILE__, 'Test Sublevel 2', 'Test Sublevel 2', 8,
 'sub-page2', 'mt_sublevel_page2');
 }

 // mt_options_page() displays the page content for the Test Options
 submenu
 function mt_options_page() {
     echo "<h2>Test Options</h2>";
 }

 // mt_manage_page() displays the page content for the Test Manage submenu
 function mt_manage_page() {
     echo "<h2>Test Manage</h2>";
 }

 // mt_toplevel_page() displays the page content for the custom Test
 Toplevel menu
 function mt_toplevel_page() {
     echo "<h2>Test Toplevel</h2>";
 }

 // mt_sublevel_page() displays the page content for the first submenu
 // of the custom Test Toplevel menu
 function mt_sublevel_page() {
     echo "<h2>Test Sublevel</h2>";
 }

 // mt_sublevel_page2() displays the page content for the second submenu
 // of the custom Test Toplevel menu
 function mt_sublevel_page2() {
     echo "<h2>Test Sublevel 2</h2>";
 }

 ?>

 }}}

 Let's say a user is logged in as a subscriber and types in the query
 string to access the top level menu '''?page=menu_test.php''' the page
 will be displayed even though only admins should see the page as set in
 the parameter set in add_menu_page. However type in the query string for
 the subpages are blocked as expected. I've also attached my code that
 shows the same problem.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/10310>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software