[wp-trac] [WordPress Trac] #11922: Pages Hooked by add_menu_page() Have No Security

WordPress Trac wp-trac at lists.automattic.com
Sat Jan 16 22:42:27 UTC 2010

#11922: Pages Hooked by add_menu_page() Have No Security
 Reporter:  miqrogroove      |       Owner:  westi    
     Type:  defect (bug)     |      Status:  accepted 
 Priority:  high             |   Milestone:  2.9.2    
Component:  Role/Capability  |     Version:           
 Severity:  critical         |    Keywords:  has-patch

Comment(by westi):

 Replying to [comment:5 miqrogroove]:
 > At step 2 one of the tests must pass.  So if you changed your first
 submenu $access_level to 'read' then any user would be able to trigger the
 parent hook, even though it's still set to 'manage_options'.  Also test
 the page= query on different php files to see how $pagenow is ignored.

 I have done this although this and still can't reproduce the issue.

 As far as I can tell this is the same as the third example in my tests but
 you have to be a non-admin to test.

 The test case you have is Parent Menu requires a cap we don't have but
 child requires one we do.

 This is the first piece of code which runs after plugins add menus:

 This strips out Top Level menus which are not accessible and have no
 accessible children.

 So for a Lowest level user this strips out the 2nd and 3rd menus in my
 updated example where I have changed the first submenu to 'read' and
 leaves only the first.

 Ok reading back carefully through the referenced ticket the missing clue
 is how the page is accessed index.php rather than admin.php

Ticket URL: <http://core.trac.wordpress.org/ticket/11922#comment:6>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list