[wp-hackers] BugTraq post

Otto otto at ottodestruct.com
Tue Dec 18 22:16:28 GMT 2007


The single quote in the URL (possibly any other character as well)
makes WordPress go to the main page and not the admin pages, but the
URL still contains "wp-admin/" and so is_admin() will return true.



On 12/18/07, Bull3t <bull3t at ntlworld.com> wrote:
> I can't reproduce it either - not really sure how the single quote in the
> URL helps at all though? Also, on the BugTraq post he put 3 t's in the
> http... So I ignored the single quote as a mistake as well. Meh, Aaron could
> be correct; maybe he is smoking something...
>
>
> --------------------------------------------
> Bull3t
> http://www.bull3t.me.uk/
>
>
> > -----Original Message-----
> > From: wp-hackers-bounces at lists.automattic.com [mailto:wp-hackers-
> > bounces at lists.automattic.com] On Behalf Of Otto
> > Sent: 18 December 2007 03:57
> > To: wp-hackers at lists.automattic.com
> > Subject: Re: [wp-hackers] BugTraq post
> >
> > He emailed me with more information on this.. I think I see what he's
> > talking about, although I still can't reproduce it.
> >
> > Create a blank blog with default permalinks.
> > Create a draft post.
> >
> > Go to http://example.com/wp/'wp-admin/ . The single quote there is
> > intentional.
> >
> > The existence of the "wp-admin/" triggers is_admin() to return true.
> > And this code in query.php:
> >
> > elseif ( !$this->is_singular ) {
> >       $where .= " AND (post_status = 'publish'";
> >
> >       if ( is_admin() )
> >               $where .= " OR post_status = 'future' OR post_status =
> 'draft' OR
> > post_status = 'pending'";
> >
> >       if ( is_user_logged_in() ) {
> >               $where .= current_user_can( "read_private_{$post_type}s" ) ?
> " OR
> > post_status = 'private'" : " OR post_author = $user_ID AND post_status
> > = 'private'";
> >       }
> >
> >       $where .= ')';
> > }
> >
> > Causes it to display the drafts when the user is not logged in.
> >
> > I think that's what he's saying. I can't get it to work on my testbed
> > yet, but he insists that it does.
> >
> > -Otto
> >
> >
> >
> > On 12/16/07, Otto <otto at ottodestruct.com> wrote:
> > > He's severely confused about what the is_admin() function does. As we
> > > know, is_admin() returns true when you're looking at any of the admin
> > > pages.
> > >
> > > He seems to think that it's supposed to tell whether the user is an
> > > admin or not, which is not the case.
> > >
> > > Anyway, his "flaw" does not work.
> > >
> > > -Otto
> > >
> > > On 12/15/07, Aaron Brazell <emmensetech at gmail.com> wrote:
> > > > Matt-
> > > >
> > > > I saw that earlier today and I agree... if the cookie isn't set, wp-
> > > > admin will redirect to wp-login.php. And if he is able to access wp-
> > > > admin (say with open registration, which is legit), what he can view
> > > > is going to be subject to a cap check. Either he's smoking something
> > > > or he hasn't provided all the info.
> > > >
> > > > My take.
> > > > --
> > > > Aaron Brazell
> > > > Director of Technology, b5media
> > > >
> > > > skype: technosailor
> > > > phone: 410-608-6620
> > > > web: http://technosailor.com
> > > >
> > > > Everything contained in this email is confidential and stuff
> > > >
> > > > On Dec 15, 2007, at 9:25 PM, Matt Mullenweg wrote:
> > > >
> > > > > Is anyone able to use this to read drafts? This guy seems confused.
> > > > >
> > > > > http://www.securityfocus.com/archive/1/485160/30/0/threaded
> > > > >
> > > > > --
> > > > > Matt Mullenweg
> > > > > http://photomatt.net | http://wordpress.org
> > > > > http://automattic.com | http://akismet.com
> > > > > _______________________________________________
> > > > > wp-hackers mailing list
> > > > > wp-hackers at lists.automattic.com
> > > > > http://lists.automattic.com/mailman/listinfo/wp-hackers
> > > >
> > > > _______________________________________________
> > > > wp-hackers mailing list
> > > > wp-hackers at lists.automattic.com
> > > > http://lists.automattic.com/mailman/listinfo/wp-hackers
> > > >
> > >
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
> > No virus found in this incoming message.
> > Checked by AVG Free Edition.
> > Version: 7.5.503 / Virus Database: 269.17.4/1188 - Release Date:
> 17/12/2007
> > 14:13
> >
>
> No virus found in this outgoing message.
> Checked by AVG Free Edition.
> Version: 7.5.503 / Virus Database: 269.17.4/1188 - Release Date: 17/12/2007
> 14:13
>
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


More information about the wp-hackers mailing list