Security Bug inWordPress 1.0.1

  • Hello all.
    I’ve found security bug in WordPress 1.0.1 and according to changelog it wasn’t fixed in 1.0.2.
    The bug is following:
    When editing the templates you can enter the file name of your choice if the field at the bottom of the form named file.
    If you enter .../foo – security will not pass this file, but if you enter wp-admin/../../bar – you can edit the file, and save it successfuly.
    Under certain circumstances it can be security issue.

Viewing 6 replies - 1 through 6 (of 6 total)

  • While we’re on the subject, any chance of turning the template editor into a simple file manager?

    i had like that too… an online file editor!
    that can even be used to make online static pages…

    The template editor IS an online file editor. ?? Though I’d agree it could use a simple nav/browse interface to get to files.
    It’d also be nice if the intent IS for online editing, to add some kind of styled editor option (I’m not sure what form that would take, custom control, java, js, etc., just tossing it out there…), as it’s hard enough to read PHP with a nice colorizing editor like Crimson… but just try editing in something like notepad.. ?? Great for a quick ‘ooops, I screwed that up’ remote fix.
    -d

    well the ability to make new files would make it more powerful… i guess making the wp folder writable wont make it less secure ??

    gennadiy_l, could you confirm that you are able to edit files outside of the WordPress folder? That shouldn’t be possible because we strip directory-walking characters from the update code, look around line 54 of templates.php.

    Thanks gennadiy_l. Fix committed. I reworked things a bit, so extra testing from those using the nightlies would be appreciated.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Security Bug inWordPress 1.0.1’ is closed to new replies.