[wp-trac] [WordPress Trac] #48182: wp-admin accessible from sub-directory on multisite

WordPress Trac noreply at wordpress.org
Tue Oct 1 21:55:36 UTC 2019


#48182: wp-admin accessible from sub-directory on multisite
--------------------------------+------------------------
 Reporter:  ridinhighspeeds     |       Owner:  (none)
     Type:  defect (bug)        |      Status:  closed
 Priority:  normal              |   Milestone:
Component:  Networks and Sites  |     Version:  5.2.3
 Severity:  normal              |  Resolution:  duplicate
 Keywords:                      |     Focuses:  multisite
--------------------------------+------------------------
Changes (by SergeyBiryukov):

 * status:  new => closed
 * resolution:   => duplicate
 * component:  Administration => Networks and Sites
 * milestone:  Awaiting Review =>


Old description:

> Using the latest version of WordPress. Noticed in our web logs that /wp-
> login.php is accessible from sub-directories within a multisite.
>
> Example or 1 site in our multisite - Normal URL:
> https://www.bridgestreettire.com/wp-login.php
> Unfortunately wp-login.php is accessible via any sub-directory i.e.
> bridgestreettire.com/***/wp-login.pho where *** can be replaced with any
> text.
> Example, all of these work:
> https://www.bridgestreettire.com/welcome/wp-login.php
> https://www.bridgestreettire.com/admin/wp-login.php
> https://www.bridgestreettire.com/test/wp-login.php
> https://www.bridgestreettire.com/home/wp-login.php
> To protect our websites, we locked down wp-login.php to our IP address,
> so you may see an error if you try to pull up any of those url's.
>
> This goes the same for all other domains in our Wordpress multisite. I
> assume the .htaccess file needs to be tweaked to only allow access to wp-
> login.php from the parent domain, and not a sub-directory. I assume sub-
> directory is allowed for those who use multisite in a sub-directory mode?
>
> We are on CentOs 7 with cPanel and LiteSpeed Web Server.
>
> Thanks

New description:

 Using the latest version of WordPress. Noticed in our web logs that /wp-
 login.php is accessible from sub-directories within a multisite.

 Example or 1 site in our multisite - Normal URL:
 https://www.bridgestreettire.com/wp-login.php
 Unfortunately wp-login.php is accessible via any sub-directory i.e.
 bridgestreettire.com/***/wp-login.pho where *** can be replaced with any
 text.
 Example, all of these work:
 https://www.bridgestreettire.com/welcome/wp-login.php
 https://www.bridgestreettire.com/admin/wp-login.php
 https://www.bridgestreettire.com/test/wp-login.php
 https://www.bridgestreettire.com/home/wp-login.php
 To protect our websites, we locked down wp-login.php to our IP address, so
 you may see an error if you try to pull up any of those url's.

 This goes the same for all other domains in our WordPress multisite. I
 assume the .htaccess file needs to be tweaked to only allow access to wp-
 login.php from the parent domain, and not a sub-directory. I assume sub-
 directory is allowed for those who use multisite in a sub-directory mode?

 We are on CentOs 7 with cPanel and LiteSpeed Web Server.

 Thanks

--

Comment:

 Hi @ridinhighspeeds, welcome to WordPress Trac!

 Thanks for the report, we're already tracking this issue in #17376.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/48182#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list