Re: Wordpress - Broken Access Control
Hi all,
Apparently there is some disagreement about this issue. I am providing more
information to build a greater understanding about what is happening.
This problem is entirely contained within the query.php file. At the comment
header of query.php it says: "The Big Query." Yes indeed this file produces a
large query. This file is very disorganized and it was difficult to go though
with a fine tooth comb, but I did and i found a flaw because of it. I was
looking for SQL Injection, but broken access control will get me a CVE number.
Perhaps this URL provides more information:
http://localhost/wordpress/index.php/'wp-admin/
I urge everyone to make this get request and to print the
$_SERVER['REQUEST_URI'] and $_SERVER['PHP_SELF'] variables.
You will see that wp-admin/ is at the end of these variables.
I should have provided the exact point in which the flawed query is being
built. I thought that my PoC was enough, my bad.
if ( is_admin() )
$where .= " OR post_status = 'future' OR post_status = 'draft'
OR post_status = 'pending'";
This url: htttp://localhost/wordpress/index.php/'wp-admin/ will cause the
is_admin() function to return TRUE.
function is_admin () {
global $wp_query;
return ($wp_query->is_admin || (stripos($_SERVER['REQUEST_URI'],
'wp-admin/') !== false));
}
In the future you shouldn't attack someone who is trying to help. This is a
complex and irregular issue so I totally understand why it was difficult to
see. In the future you shouldn't dismiss something you do not understand,
instead i urge you to ask questions and learn more.
Peace