[wp-hackers] wpmu / adding users/sites/any other admin

Alan Castonguay alan at verselogic.net
Mon Apr 6 00:16:36 GMT 2009 

Arbitrary remote code execution. "massive holes" is a bit of an  
understatement. You may wish to look at wpapp or xmlrpc and see if you  
can either hook into those, or better yet write a patch to provide the  
needed functionality. I agree that the need exists.

Alan

Sent from my iPhone

On 5-Apr-09, at 20:09, horatio <bnabble at says.mu> wrote:

>
> i made a VERY ROUGH remote api for myself to use before anyone else  
> codes a
> proper wp/wpmu api. it works very well for my purposes, but keep in  
> mind
> that this leaves some massive holes open, so it should be checking  
> for a
> localhost ip, put behind a password protected directory, whitelist
> particular functions, check incoming data integrity, etc. use at  
> your own
> risk.
>
> it works by posting
> "function" (string containing wordpress core or custom function)
> and
> "args" (array containing the args to pass to the function)
> to the script.
>
> you get back a serialized result of the data:
> serialize(
> success=>true,
> results=>(function return value)
> )
>
> so you could post
> function=>'testfunc',
> args=>Array('one', 'two')
> to this script, and you would get back the serialized results from
> serialize(testfunc('one, 'two'))
>
> i've also written a cakePHP component that deals with this remote  
> API, if
> anyone is interested. i'm creating new domains/blogs/users through  
> it fine.
>
> code follows:
>
>    // Location of Wordpress install
>        define('WP_LOCATION', '../../../site');
>
>    // Trap errors
>        set_error_handler('return_error_php');
>        register_shutdown_function('return_shutdown_php');
>            error_reporting(E_ALL);
>            ini_set('display_errors', 0);
>
>    // Help Wordpress be quiet
>        define('WP_INSTALLING', true);
>
>    // Trick Wordpress into thinking we're in its directory, so it  
> pulls the
> correct site from the DB.
>    //    global $domain,$path;
>    //    $_SERVER[ 'REQUEST_URI' ] = $path = "/site/";
>
>    // Include WP headers
>        global $user, $wpdb, $allowedtags, $blog_id;
>        require_once(WP_LOCATION."/wp-config.php");
>        require_once(WP_LOCATION."/wp-includes/registration.php");
>
>        if (!isset($_POST['function']) && !isset($_POST['args'])) {
> return_error('You sent in an empty request.'); }
>
>    // Check request validity
>        if (!function_exists($_POST['function']))  
> { return_error('Function
> '.$_POST['function'].' is undefined.'); }
>
>    // Run requested function
>        $result = call_user_func_array($_POST['function'],  
> $_POST['args']);
>
>    // Check function results
>        if ($result == null || $result == false)  
> { return_error('Function
> '.$_POST['function'].' returned false/null.'); }
>
>    return_success(Array('return' => $result));
>
>
>    // For example above
>    function testfunc($one, $two){ return "testfunc(): arg one is  
> $one and arg
> two is $two"; }
>
>    // Traps large PHP problems
>    function return_shutdown_php(){
>        if ($error = error_get_last()){
>            switch($error['type']){
>            case E_ERROR:
>            case E_CORE_ERROR:
>            case E_COMPILE_ERROR:
>            case E_USER_ERROR:
>                return_error($error['message'], 'php');
>            break;
>            }
>        }
>    }
>
>    // Traps simple PHP problems
>    function return_error_php($errno, $errstr, $errfile, $errline,  
> $errcontext)
>    {
>        switch ($errno)
>        {
>            case E_USER_WARNING:
>            case E_USER_NOTICE:
>            case E_WARNING:
>            case E_NOTICE:
>                break;
>            case E_CORE_WARNING:
>            case E_COMPILE_WARNING:
>            case E_USER_ERROR:
>            case E_ERROR:
>            case E_PARSE:
>            case E_CORE_ERROR:
>            case E_COMPILE_ERROR:
>            return_error($errstr, 'php');
>        }
>    }
>
>    // Formats error messages for return_data()
>    function return_error($error, $class='wpmu') { return_data(Array(
>        'success'=>false,
>        'error'=>$error,
>        'class'=>$class
>    )); }
>
>    // Formats success messages for return_data()
>    function return_success($results) {
> return_data(array_merge(Array('success'=>true, 'results'=> 
> $results))); }
>
>    // Dumps results as serialized data
>    function return_data($data) { echo serialize($data); exit; }
>
> -- 
> View this message in context: http://www.nabble.com/Re%3A-wpmu---adding-users-sites-any-other-admin-tp22811272p22900358.html
> Sent from the Wordpress Hackers mailing list archive at Nabble.com.
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

More information about the wp-hackers mailing list