[wp-trac] Re: [WordPress Trac] #7220: Press This vulnerabilities
WordPress Trac
wp-trac at lists.automattic.com
Wed Jul 2 16:47:42 GMT 2008
#7220: Press This vulnerabilities
----------------------+-----------------------------------------------------
Reporter: xknown | Owner: ryan
Type: defect | Status: new
Priority: normal | Milestone: 2.6
Component: Security | Version: 2.6
Severity: normal | Resolution:
Keywords: |
----------------------+-----------------------------------------------------
Comment (by xknown):
Another problem I recently found is that users without `unfiltered_upload`
capability are able to download any file via the `media_sideload_*` to the
tmp dir (`get_temp_dir()` will return `WP_CONTENT_DIR` if it's writable),
so when `wp_handle_sideload` fails (because of `wp_check_filetype` check)
it will not delete the temporary file that was downloaded in the previous
step.
Steps to reproduce the problem:
- Log in as an unprivileged user, but with `publish_post` capability and
go to `http://localhost/wp/wp-admin/press-this.php`.
- Select "Photo" tab, after that click on "Add from URL +" and then enter
any url. ie `http://localhost/dummy.php`
- Now insert a link into the content box `<a
href="http://localhost/dummy.php">dummy</a>` -- it's used to ensure that
there is a reference to the fake image.
- Click on "Publish" button.
The post won't be inserted but like I said, if `WP_CONTENT_DIR` is
writable the temporary file won't be deleted.
--
Ticket URL: <http://trac.wordpress.org/ticket/7220#comment:9>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list