TUCoPS :: Web :: Blogs :: bx1097.htm

Wordpress - Broken Access Control
Wordpress - Broken Access Control
Wordpress - Broken Access Control


By Michael Brooks=0D
=0D
Vulnerability:Broken Access Control=0D
=0D
Homepage:http://wordpress.org/download=0D 
=0D
Software: Wordpress=0D
=0D
Version affected:2.3.1 (Latest at the time of writing)=0D
=0D
=0D
=0D
The impact of the flaw is that an attacker can read posts while they are still drafts.  This is an ability that only the administrator should have.  Imagine a stranger being able to read the news before it is published.   Or perhaps a spam-blog harvesting posts before they are published. =0D
=0D
=0D
=0D
This flaw is because Wordpress is trusting the  $_SERVER['REQUEST_URI'] global variable.  Manipulation of $_SERVER['REQUEST_URI']has led to many xss flaws.  Although an attacher shouldn't be able to control all $_SERVER variables,  none of them should be trusted.  =0D
=0D
=0D
=0D
exploit:=0D
=0D
htttp://localhost/wordpress/'wp-admin/=0D
=0D
=0D
This will cause both $_SERVER['REQUEST_URI'] and $_SERVER['PHP_SELF'] to contain the value:=0D
htttp://localhost/wordpress/'wp-admin/=0D
=0D
=0D
Vulnerable function:=0D
=0D
line 34,  in ./wp-includes/query.php.=0D
=0D
function is_admin () {=0D
=0D
	global $wp_query;=0D
=0D
=0D
=0D
	return ($wp_query->is_admin || (stripos($_SERVER['REQUEST_URI'], 'wp-admin/') !== false));=0D
=0D
}=0D
=0D
The same flaw is duplicted in again on line 645 of the same file.=0D
=0D
=0D
=0D
This url: htttp://localhost/wordpress/'wp-admin/=0D
  will cause the is_admin() function to return true. This flaw works regardless of register_globas or magic_quotes_gpc.  The attack fails when search engine friendly urls are turned on in wordpress,  however this option is turned off by default.  Turning search engine friendly urls on is a workaround until a patch is created.  =0D
=0D
=0D
=0D
Peace

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH