[wp-trac] [WordPress Trac] #4748: Unprivileged users can perform
some actions on pages they aren't allowed to access
WordPress Trac
wp-trac at lists.automattic.com
Tue Aug 14 18:45:39 GMT 2007
#4748: Unprivileged users can perform some actions on pages they aren't allowed to
access
----------------------+-----------------------------------------------------
Reporter: xknown | Owner: anonymous
Type: defect | Status: new
Priority: normal | Milestone: 2.2.3
Component: Security | Version: 2.2.2
Severity: normal | Keywords:
----------------------+-----------------------------------------------------
You control the access to administration pages on menu.php based on the
value of `$pagenow`, however this variable can be manipulated via
`PATH_INFO`.
{{{
if ( preg_match('#([^/]+\.php)$#', $PHP_SELF, $self_matches) ) {
$pagenow = $self_matches[1];
} elseif ( strpos($PHP_SELF, '?') !== false ) {
$pagenow = explode('/', $PHP_SELF);
$pagenow = trim($pagenow[(sizeof($pagenow)-1)]);
$pagenow = explode('?', $pagenow);
$pagenow = $pagenow[0];
} else {
$pagenow = 'index.php';
}
}}}
Proof of Concept:
1. Log in to WP (a subscriber user is okay)
2. Access to `http://vulnerable/wp/wp-admin/themes.php/index.php`
3. Switch the current theme (you need to replace `/wp-
admin/themes.php/themes.php?action=...` by `/wp-
admin/themes.php/index.php?action=...`)
As you can see, this bug lets unprivileged users to switch current theme,
de/activate plugins, etc.
--
Ticket URL: <http://trac.wordpress.org/ticket/4748>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list