[wp-trac] Re: [WordPress Trac] #4627: Link manager exploit?
WordPress Trac
wp-trac at lists.automattic.com
Tue Oct 16 06:51:45 GMT 2007
#4627: Link manager exploit?
----------------------+-----------------------------------------------------
Reporter: cbdilger | Owner: pishmishy
Type: defect | Status: reopened
Priority: normal | Milestone: 2.3.1
Component: Security | Version: 2.2
Severity: normal | Resolution:
Keywords: |
----------------------+-----------------------------------------------------
Comment (by DD32):
After playing around with it and leading down the wrong paths too many
times...
Subscribers can access the add and save code branches, Neither check for
valid user premissions, only that the user is logged in(handled by
admin.php).
Attached a patch which throws a current_user_can() call into both
branches.
If we look at the logs above[[BR]]
the 500 error is wp_die presenting the user with a nonce.[[BR]]
Then the 302 is the bot sending back the nonce and adding the link.
I cant think of anything that would fail the additional user checks.
--
Ticket URL: <http://trac.wordpress.org/ticket/4627#comment:10>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list