Mailing List Archive: Bugtraq: Bugtraq

Wordpress - Broken Access Control

Index | Next | Previous | View Threaded

th3.r00k.nospam at pork

Dec 14, 2007, 2:07 PM

Post #1 of 5 (434 views)
Permalink

Wordpress - Broken Access Control

By Michael Brooks

Vulnerability:Broken Access Control

Homepage:http://wordpress.org/download

Software: Wordpress

Version affected:2.3.1 (Latest at the time of writing)

The impact of the flaw is that an attacker can read posts while they are still drafts. This is an ability that only the administrator should have. Imagine a stranger being able to read the news before it is published. Or perhaps a spam-blog harvesting posts before they are published.

This flaw is because Wordpress is trusting the $_SERVER['REQUEST_URI'] global variable. Manipulation of $_SERVER['REQUEST_URI']has led to many xss flaws. Although an attacher shouldn't be able to control all $_SERVER variables, none of them should be trusted.

exploit:

htttp://localhost/wordpress/'wp-admin/

This will cause both $_SERVER['REQUEST_URI'] and $_SERVER['PHP_SELF'] to contain the value:
htttp://localhost/wordpress/'wp-admin/

Vulnerable function:

line 34, in ./wp-includes/query.php.

function is_admin () {

global $wp_query;

return ($wp_query->is_admin || (stripos($_SERVER['REQUEST_URI'], 'wp-admin/') !== false));

}

The same flaw is duplicted in again on line 645 of the same file.

This url: htttp://localhost/wordpress/'wp-admin/
will cause the is_admin() function to return true. This flaw works regardless of register_globas or magic_quotes_gpc. The attack fails when search engine friendly urls are turned on in wordpress, however this option is turned off by default. Turning search engine friendly urls on is a workaround until a patch is created.

Peace

otto at ottodestruct

Dec 16, 2007, 2:07 AM

Post #2 of 5 (378 views)
Permalink

Re: Wordpress - Broken Access Control [In reply to]

The is_admin() function is not supposed to tell whether a user is an administrator or not, it tells whether the user is looking at one of the administration pages. As such, this function does exactly what it is supposed to do.

As for the rest, there is no flaw. To view a draft, the user must authenticate and have the correct capability set. There is no way to view drafts without being logged in and having that capability set on the user's role level.

This "vulnerability" is non-existent.

th3.r00k.nospam at pork

Dec 17, 2007, 6:16 PM

Post #3 of 5 (378 views)
Permalink

Re: Wordpress - Broken Access Control [In reply to]

Hi all,

Apparently there is some disagreement about this issue. I am providing more information to build a greater understanding about what is happening.

This problem is entirely contained within the query.php file. At the comment header of query.php it says: "The Big Query." Yes indeed this file produces a large query. This file is very disorganized and it was difficult to go though with a fine tooth comb, but I did and i found a flaw because of it. I was looking for SQL Injection, but broken access control will get me a CVE number.

Perhaps this URL provides more information:
http://localhost/wordpress/index.php/'wp-admin/
I urge everyone to make this get request and to print the $_SERVER['REQUEST_URI'] and $_SERVER['PHP_SELF'] variables.
You will see that wp-admin/ is at the end of these variables.

I should have provided the exact point in which the flawed query is being built. I thought that my PoC was enough, my bad.
if ( is_admin() )
$where .= " OR post_status = 'future' OR post_status = 'draft' OR post_status = 'pending'";

This url: htttp://localhost/wordpress/index.php/'wp-admin/ will cause the is_admin() function to return TRUE.
function is_admin () {
global $wp_query;

return ($wp_query->is_admin || (stripos($_SERVER['REQUEST_URI'], 'wp-admin/') !== false));
}

In the future you shouldn't attack someone who is trying to help. This is a complex and irregular issue so I totally understand why it was difficult to see. In the future you shouldn't dismiss something you do not understand, instead i urge you to ask questions and learn more.

Peace

otto at ottodestruct

Dec 19, 2007, 12:07 PM

Post #4 of 5 (371 views)
Permalink

Re: Wordpress - Broken Access Control [In reply to]

Nobody was attacking you. Calm down and try to be a bit more professional, please.

Although I am still unable to reproduce the problem on any sort of setup, a few other people have claimed to make it work as well. So a patch has been created and applied to eliminate the dependancy on "wp-admin/". The patch will most likely be in the next version of WordPress.

The bug tracking and patch for this issue can be found here:
http://trac.wordpress.org/ticket/5487

abelcheung at gmail

Dec 19, 2007, 1:29 PM

Post #5 of 5 (372 views)
Permalink

Re: Wordpress - Broken Access Control [In reply to]

On 2007-12-16(Sun) 10:07:29 -0000, otto [at] ottodestruct wrote:
> The is_admin() function is not supposed to tell whether a user is an administrator or not, it tells whether the user is looking at one of the administration pages. As such, this function does exactly what it is supposed to do.
>
> As for the rest, there is no flaw. To view a draft, the user must authenticate and have the correct capability set. There is no way to view drafts without being logged in and having that capability set on the user's role level.
>
> This "vulnerability" is non-existent.

Here I confirm the validity of the vulnerability:

Machine: Windows 2000 SP4, Apache 2.2.4, MySQL 5.0.45
Wordpress version tested: 2.2.0, 2.2.3, 2.3.1
Everytime the URL http://localhost/wordpress/index.php/wp-admin/ is
used, and user is NOT logged in. In each wordpress version draft
posts are indeed shown.

And according to wordpress bug report, a patch is applied on
19th to address the problem.

Abel
--
Abel Cheung (GPG Key: 0xC67186FF)
Key fingerprint: 671C C7AE EFB5 110C D6D1 41EE 4152 E1F1 C671 86FF
--------------------------------------------------------------------
* My blog - http://me.abelcheung.org/
* Opensource Application Knowledge Assoc. - http://oaka.org/

Attachments:

signature.asc (0.18 KB)

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads