[wp-trac] [WordPress Trac] #10310: add_menu_page Security Bug
WordPress Trac
wp-trac at lists.automattic.com
Tue Jun 30 16:32:34 GMT 2009
#10310: add_menu_page Security Bug
----------------------------------+-----------------------------------------
Reporter: shazahm1@… | Owner: ryan
Type: defect (bug) | Status: new
Priority: normal | Milestone: Unassigned
Component: Menus | Version: 2.8
Severity: major | Keywords:
----------------------------------+-----------------------------------------
I think there is a security issue with the add_menu_page() function but
I'm a noob and might be doing something wrong but I was able to duplicate
it with the sample code from the codex.
{{{
<?php
/*
Plugin Name: Menu Test
Plugin URI: http://wordpress.org
Description: Menu Test
Author: Nobody
Author URI: http://example.com
*/
// Hook for adding admin menus
add_action('admin_menu', 'mt_add_pages');
// action function for above hook
function mt_add_pages() {
// Add a new submenu under Options:
add_options_page('Test Options', 'Test Options', 8, 'testoptions',
'mt_options_page');
// Add a new submenu under Manage:
add_management_page('Test Manage', 'Test Manage', 8, 'testmanage',
'mt_manage_page');
// Add a new top-level menu (ill-advised):
add_menu_page('Test Toplevel', 'Test Toplevel', 8, __FILE__,
'mt_toplevel_page');
// Add a submenu to the custom top-level menu:
add_submenu_page(__FILE__, 'Test Sublevel', 'Test Sublevel', 8, 'sub-
page', 'mt_sublevel_page');
// Add a second submenu to the custom top-level menu:
add_submenu_page(__FILE__, 'Test Sublevel 2', 'Test Sublevel 2', 8,
'sub-page2', 'mt_sublevel_page2');
}
// mt_options_page() displays the page content for the Test Options
submenu
function mt_options_page() {
echo "<h2>Test Options</h2>";
}
// mt_manage_page() displays the page content for the Test Manage submenu
function mt_manage_page() {
echo "<h2>Test Manage</h2>";
}
// mt_toplevel_page() displays the page content for the custom Test
Toplevel menu
function mt_toplevel_page() {
echo "<h2>Test Toplevel</h2>";
}
// mt_sublevel_page() displays the page content for the first submenu
// of the custom Test Toplevel menu
function mt_sublevel_page() {
echo "<h2>Test Sublevel</h2>";
}
// mt_sublevel_page2() displays the page content for the second submenu
// of the custom Test Toplevel menu
function mt_sublevel_page2() {
echo "<h2>Test Sublevel 2</h2>";
}
?>
}}}
Let's say a user is logged in as a subscriber and types in the query
string to access the top level menu '''?page=menu_test.php''' the page
will be displayed even though only admins should see the page as set in
the parameter set in add_menu_page. However type in the query string for
the subpages are blocked as expected. I've also attached my code that
shows the same problem.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/10310>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list