There is a bug in WordPress right now that is rather critical for anyone who uploads posts without immediately publishing. Simply by manipulating the URL any visitor can view all future, draft, or pending posts. Our site was vulnerable to this issue, but we patched it quickly because it could be used to retrieve the CyberNotes posts that we write ahead of time.
Why is this such a big deal? By gaining access to our future and unscheduled posts other sites could copy our articles. They would then look like the ones who originally wrote the article, and we would look like the copiers since our post would not publish until after theirs. To make things worse your future/draft posts may also be available in the format of an RSS feed.
–How it Works–
Without going into too much detail we’ll just say that WordPress is incorrectly checking to see whether a user is an administrator. Using Problogger.net as an example, you can visit this URL to reveal some of his upcoming posts:
http://www.problogger.net/index.php/wp-admin/
If a website is not using the FeedBurner redirect plugin all of the future posts will be available through an RSS feed as well. The URL for that would look something like this:
http://www.address.com/?feed=rss2&x=wp-admin/
That would not be good because there are thousands of sites out there that are setup to scrape feeds from websites, and then publish the content to their own site. This would give them easy access to all of your unpublished content.
–How to Fix It–
UPDATE: The workaround below didn’t do as much good as I thought, but a new version of WordPress has already been released which corrects the issue. We recommend upgrading your WordPress as soon as possible.
WordPress 2.3.2 is in the works, and the bug should be fixed by the time it is released. The How-To Geek tipped me off on a quick fix for all of you who just want a temporary workaround. Here’s what you have to do:
- In your blog’s WordPress files open the wp-includes\query.php file.
- Find line 37 which should look something like this:
- We need to make the wp-admin/ portion more specific. For us we changed it to cybernetnews.com/wp-admin/, but yours will be a bit different. Just go to the page where you login to your blog, and copy the portion after http:// and before wp-admin/. Then paste that before the wp-admin/ on line 37:
- That’s it! If you’re using a cache plugin you may need to clear the cache, or give it some time for the pages to be refreshed.
This is just a temporary fix, and when WordPress 2.3.2 is released you’ll obviously want to upgrade.
[via Black Hat Domainer]
I hate to break it you, but your ‘fix’ doesn’t fix anything.
Lets just say I understand Vista’s Reliability and Performance Monitor and how to Run Command Power Tips.
To fix it (this is off the top of my head), try changing the ‘!== false’ bit to ‘=== 0′ and change it to ‘/wp-admin’. This should in theory only return true when ‘/wp-admin’ is at the absolute beginning of the URL (minus the domain). Providing your WordPress installation is not in a folder, this should then only return true when you’re viewing it through the admin panel.
I can’t even understand why that’s in there anyway as presumably to visit wp-admin you’d need to be an admin anyway.
Seconding what Lewis said above. REQUEST_URI is the path relative to the document root; it does include the host name. The only thing your change does is require “cybernetnews.com/wp-admin/” to appear somewhere in the URL. As proof: your next CyberNotes is set to be published January 3rd, 2008, and has the subject “7-Zip Command Line Backups”. Lewis’s change will ensure “/wp-admin” is the first thing in the request URI, which should fix the immediate problem.
I heartily recommend updating this post to include a proper fix (or at least to remove the faulty changes), so that no one is lent a false sense of security!
I definitely see what you guys are talking about now, but Lewis’s fix does not solve the issue. I’ve tried implementing it and you can still reveal future posts.
Make sure you change the !== false to === 0 and try using $_SERVER['PHP_SELF'] or $_SERVER['SCRIPT_NAME'] instead. It’s just off the top of my head but one of those *should* work.
Hello, i tried to replace for testing purpose old query.php with new query php from WP 2.3.2 RC1, all works well (you don’t have anymore the bug) except plugin simple tags. You can always replace it with Recommended Tags .. — > when do you prepare next release?
It looks like WordPress 2.3.2 was just released, and we’re updating as we speak. I don’t have much planned for the next release of Recommended Tags because I can’t think of anything else that I really want to add to it.