WordPress Thrashing Authorisation Bypass

Thomas Mackenzie has reported a vulnerability affecting Wordpress >= 2.9. Versions before 2.9 are not vulnerable.

tmacuk quote:

Since version 2.9 a new feature was implemented so that users were able to retrieve posts that they may have deleted by accident. This new feature was labelled ‘trash’. Any posts that are placed within the trash are only viewable by authenticated privileged users.

When WordPress implemented the new feature they failed to change the permissions granted when the post is in the trash. This means that an unauthenticated user cannot see the post, however an authenticated user can no matter what priviledges they have, even ’subscriber’.

To fix this problem, update to the latest WordPress version which is currently 2.9.2. As usual you can do this by updating your install with the latest download package or through the auto-update feature accessible from /wp-admin.

The vulnerability only concerns multi-user blogs, for standalone user blogs this can be seen as a low impact issue.

Almost as interesting as the finding itself is a current debate as to who discovered the vulnerability first. Regardless, nice fine to all concerned.

Random Posts

• wp-calc & wp adserv plugin vulnerabilities
• What is OpenID?
• Twitter gets hacked with poor passwords
• WordPress Path Disclosure Vulnerability
• Nextgen gallery – XSS flaw

If you enjoyed this post, please leave a comment or subscribe to the feed and get future articles delivered to your feed reader.

Copyright 2007. BlogSecurity. All rights reserved

• Home
• About
• Advertise
• BlogSec News
• Contact Us
• WPSCAN