[wp-trac] [WordPress Trac] #2697: Hacking URLs under certain formats allows you to see drafts

WordPress Trac wp-trac at lists.automattic.com
Thu Apr 27 04:09:53 GMT 2006 

#2697: Hacking URLs under certain formats allows you to see drafts
-----------------------+----------------------------------------------------
       Id:  2697       |      Status:  new                     
Component:  General    |    Modified:  Thu Apr 27 04:09:53 2006
 Severity:  major      |   Milestone:  2.0.2                   
 Priority:  normal     |     Version:  2.0.2                   
    Owner:  anonymous  |    Reporter:  Resiny                  
-----------------------+----------------------------------------------------
 Just something I noticed, when using URL styles like site.com/%post_id%
 and the default category settings, you can hack URLs to view posts that
 have been saved as a draft.

 For instance, say you write and publish post number one. Readers see it at
 site.com/1 or in the default setting site.com/?p=1. Then you write the
 second post and save it as a draft. If you were to publish it it would
 show up at the permalink site.com/2 or site.com/?p=2. But it's saved as a
 draft, so it's not visible in the blog. You then write a third entry and
 publish it. On the homepage visitors see site.com/1, and site.com/3 (or
 site.com/?p=1 and site.com/?p=3).

 The second entry that was saved as a draft will show up and be at url
 site.com/2 or site.com/?p=2. However, hacking the URL still allows people
 to see the draft.

 You can see an example at my test site.

 Entry number 4 was published- http://resiny.org/beta/?p=4
 Entry number 5 was deleted, thus you get a 404 trying to see it-
 http://resiny.org/beta/?p=5
 Entry number 6 was written, but saved and not published, so you don't see
 it on the home page- http://resiny.org/beta/, but hacking the URL allows
 you to see a draft, not good http://resiny.org/beta/?p=6
 The next entry was published and shows up normally
 http://resiny.org/beta/?p=7

 Not a massive security threat or anything, but you definitely don't want
 readers to be able to see drafts. As far as I can tell, this works with
 the default permalink structure as well as /%post_id%

-- 
Ticket URL: <http://trac.wordpress.org/ticket/2697>
WordPress Trac <http://wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list