Re: Wordpress - Broken Access Control

[th3.r00k.nospam () pork gmail com]

Hi all,

Apparently there is some disagreement about this issue. I am providing more information to build a greater 
understanding about what is happening. 

This problem is entirely contained within the query.php file.  At the comment header of query.php it says: "The Big 
Query."  Yes indeed this file produces a large query.   This file is very disorganized and it was difficult to go 
though with a fine tooth comb,  but I did and i found a flaw because of it.   I was looking for SQL Injection,  but 
broken access control will get me a CVE number.

Perhaps this URL provides more information:
http://localhost/wordpress/index.php/'wp-admin/
I urge everyone to make this get request and to print the $_SERVER['REQUEST_URI'] and $_SERVER['PHP_SELF']  variables.
You will see that wp-admin/ is at the end of these variables.

I should have provided the exact point in which the flawed query is being built.  I thought that my PoC was enough, my 
bad.
            if ( is_admin() )
                $where .= " OR post_status = 'future' OR post_status = 'draft' OR post_status = 'pending'";

This url:   htttp://localhost/wordpress/index.php/'wp-admin/ will cause the is_admin() function to return TRUE.
function is_admin () {
    global $wp_query;

    return ($wp_query->is_admin || (stripos($_SERVER['REQUEST_URI'], 'wp-admin/') !== false));
}

In the future you shouldn't attack someone who is trying to help.  This is a complex and irregular issue so I totally 
understand why it was difficult to see.   In the future you shouldn't dismiss something you do not understand,  instead 
i urge you to ask questions and learn more.  

Peace