[wp-trac] Re: [WordPress Trac] #7220: Press This vulnerabilities

WordPress Trac wp-trac at lists.automattic.com
Wed Jul 2 16:47:42 GMT 2008

#7220: Press This vulnerabilities
 Reporter:  xknown    |        Owner:  ryan
     Type:  defect    |       Status:  new 
 Priority:  normal    |    Milestone:  2.6 
Component:  Security  |      Version:  2.6 
 Severity:  normal    |   Resolution:      
 Keywords:            |  
Comment (by xknown):

 Another problem I recently found is that users without `unfiltered_upload`
 capability are able to download any file via the `media_sideload_*` to the
 tmp dir (`get_temp_dir()` will return `WP_CONTENT_DIR` if it's writable),
 so when `wp_handle_sideload` fails (because of `wp_check_filetype` check)
 it will not delete the temporary file that was downloaded in the previous

 Steps to reproduce the problem:

  - Log in as an unprivileged user, but with `publish_post` capability and
 go to `http://localhost/wp/wp-admin/press-this.php`.
  - Select "Photo" tab, after that click on "Add from URL +" and then enter
 any url. ie `http://localhost/dummy.php`
  - Now insert a link into the content box `<a
 href="http://localhost/dummy.php">dummy</a>` -- it's used to ensure that
 there is a reference to the fake image.
  - Click on "Publish" button.

 The post won't be inserted but like I said, if `WP_CONTENT_DIR` is
 writable the temporary file won't be deleted.

Ticket URL: <http://trac.wordpress.org/ticket/7220#comment:9>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list