On 2007-12-16(Sun) 10:07:29 -0000, otto@xxxxxxxxxxxxxxxx wrote: > The is_admin() function is not supposed to tell whether a user is an > administrator or not, it tells whether the user is looking at one of the > administration pages. As such, this function does exactly what it is supposed > to do. > > As for the rest, there is no flaw. To view a draft, the user must > authenticate and have the correct capability set. There is no way to view > drafts without being logged in and having that capability set on the user's > role level. > > This "vulnerability" is non-existent. Here I confirm the validity of the vulnerability: Machine: Windows 2000 SP4, Apache 2.2.4, MySQL 5.0.45 Wordpress version tested: 2.2.0, 2.2.3, 2.3.1 Everytime the URL http://localhost/wordpress/index.php/wp-admin/ is used, and user is NOT logged in. In each wordpress version draft posts are indeed shown. And according to wordpress bug report, a patch is applied on 19th to address the problem. Abel -- Abel Cheung (GPG Key: 0xC67186FF) Key fingerprint: 671C C7AE EFB5 110C D6D1 41EE 4152 E1F1 C671 86FF -------------------------------------------------------------------- * My blog - http://me.abelcheung.org/ * Opensource Application Knowledge Assoc. - http://oaka.org/
Attachment:
signature.asc
Description: Digital signature