[wp-trac] [WordPress Trac] #48182: wp-admin accessible from sub-directory on multisite

WordPress Trac noreply at wordpress.org
Mon Sep 30 12:59:18 UTC 2019


#48182: wp-admin accessible from sub-directory on multisite
-----------------------------+-----------------------------
 Reporter:  ridinhighspeeds  |      Owner:  (none)
     Type:  defect (bug)     |     Status:  new
 Priority:  normal           |  Milestone:  Awaiting Review
Component:  Administration   |    Version:  5.2.3
 Severity:  normal           |   Keywords:
  Focuses:  multisite        |
-----------------------------+-----------------------------
 Using the latest version of WordPress. Noticed in our web logs that /wp-
 login.php is accessible from sub-directories within a multisite.

 Example or 1 site in our multisite - Normal URL:
 https://www.bridgestreettire.com/wp-login.php
 Unfortunately wp-login.php is accessible via any sub-directory i.e.
 bridgestreettire.com/***/wp-login.pho where *** can be replaced with any
 text.
 Example, all of these work:
 https://www.bridgestreettire.com/welcome/wp-login.php
 https://www.bridgestreettire.com/admin/wp-login.php
 https://www.bridgestreettire.com/test/wp-login.php
 https://www.bridgestreettire.com/home/wp-login.php
 To protect our websites, we locked down wp-login.php to our IP address, so
 you may see an error if you try to pull up any of those url's.

 This goes the same for all other domains in our Wordpress multisite. I
 assume the .htaccess file needs to be tweaked to only allow access to wp-
 login.php from the parent domain, and not a sub-directory. I assume sub-
 directory is allowed for those who use multisite in a sub-directory mode?

 We are on CentOs 7 with cPanel and LiteSpeed Web Server.

 Thanks

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/48182>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list