[wp-trac] [WordPress Trac] #5487: query.php mistakenly uses
 is_admin() to check for admin privileges
    WordPress Trac 
    wp-trac at lists.automattic.com
       
    Wed Dec 19 15:37:04 GMT 2007
    
    
  
#5487: query.php mistakenly uses is_admin() to check for admin privileges
-----------------------+----------------------------------------------------
 Reporter:  pishmishy  |       Owner:  pishmishy     
     Type:  defect     |      Status:  new           
 Priority:  high       |   Milestone:  2.4           
Component:  Security   |     Version:  2.3.1         
 Severity:  major      |    Keywords:  query is_admin
-----------------------+----------------------------------------------------
 1. Create a draft post
 2. Log out
 3. Visit http://yourblog.com/index.php/wp-admin/
  - is_admin() spots the wp-admin in the request and returns true
  - query.php uses is_admin() to decide to return future, draft or pending
 posts
 4. Future, draft and pending posts are displayed.
 This doesn't require the ' in the request string as reported on Bugtraq.
 See http://www.securityfocus.com/archive/1/485252/30/0/threaded
-- 
Ticket URL: <http://trac.wordpress.org/ticket/5487>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
    
    
More information about the wp-trac
mailing list