Closed Bug 840941 Opened 13 years ago Closed 13 years ago

Authorization Bypass in editorial calendar wordpress plugin

Categories

(Developer Engagement :: Mozilla Hacks, task)

Product:
Developer Engagement
Component:
Mozilla Hacks
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: freddy, Assigned: zack)

References

Details

(Keywords: sec-high, wsec-authorization, Whiteboard: [site:hacks.mozilla.org])

It is possible to bypass the authorization checks that are seemingly only present in the user interface (i.e., done via JavaScript). Crafting a request via AJAX may allow arbitrary addon users (again, editor or above) to delete posts using the `edcal_deletepost()` function. Despite the comment saying "It is not called unless the user has permission to delete the post.", no further sanitation happens and the parameters are directly fed into `wp_delete_post()`, cf. http://codex.wordpress.org/Function_Reference/wp_delete_post
Whiteboard: site:hacks.mozilla.org → [site:hacks.mozilla.org]
I don't think this is a security issue. You can only call that function if you have the nonce value which means you must be logged in and can't borrow someone else's session. WordPress prevents you from deleting posts that you don't have access to. This means an author can't log into the calendar and delete posts from another author that would normally be invisible in the calendar. I've tried logging in as an author and deleting a post I don't have access to and WordPress throws an error. Editors and administrators have access to delete any post in the blog so there's no security concern with those user roles.
The docs at http://codex.wordpress.org/Function_Reference/wp_delete_post didn't seem to indicate any permission checks and I am digging into the source code at http://core.trac.wordpress.org/browser/tags/3.5.1/wp-includes/post.php#L2305 which doesn't seem to make any checks based on `wp_get_current_user()` or `current_user_can()` which (to me) appeared to me as the only things to look for. Maybe this is a long shot since I don't have a testing environment - I just like to be extra sure we don't miss anything ;) But please mark invalid if you can't reproduce.
Assignee: nobody → zack
You convinced me. We already had a check to make sure the user can delete the post before adding the link in the UI. I added the same check in the edcal_deletepost function. You can see the change here: http://plugins.trac.wordpress.org/changeset?reponame=&new=667420%40editorial-calendar&old=667412%40editorial-calendar This should make sure that the current user can only delete the posts he has access to delete.
Status: NEW → ASSIGNED
Thanks for fixing this so quickly! :)
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Component: hacks.mozilla.org → Mozilla Hacks
Product: Websites → Mozilla Developer Network
For bugs that are resolved, we remove the security flag. These haven't had their flag removed, so I'm removing it now.
Group: websites-security
Product: Mozilla Developer Network → Developer Engagement
You need to log in before you can comment on or make changes to this bug.