WordPress.org

Make WordPress Core

Opened 15 years ago

Closed 15 years ago

#3410 closed defect (bug) (fixed)

Security : wp-admin/users.php No role user can list all wp users

Reported by: devil1591 Owned by: westi
Milestone: 2.1 Priority: highest omg bbq
Severity: critical Version: 2.1
Component: Security Keywords: security users.php has-patch
Focuses: Cc:

Description

A simple user, even without role can list every WP users.

  • Just login to WP with a basic account
  • Type /wp-admin/users.php at the end of the URL

Then it lists every users, with email and others...

Attachments (1)

3410.diff (379 bytes) - added by westi 15 years ago.
wp_die(('Cheatin’ uh?'));

Download all attachments as: .zip

Change History (5)

#1 @westi
15 years ago

  • Keywords has-patch added
  • Owner changed from anonymous to westi
  • Status changed from new to assigned
  • Version set to 2.1

Confirm this works on trunk.

Attaching simple patch which just blocks you accessing users.php as I can't see a need for someone without edit_users accessing it.

@westi
15 years ago

wp_die(('Cheatin’ uh?'));

#2 @westi
15 years ago

2.0.5 / branches/2.0 is safe from this issue already:

"You do not have sufficient permissions to access this page." - protected by the menu.php capabilities checks.

#3 @ryan
15 years ago

This is because of the way the User and Profile menus are conditionally populated in 2.1. westi's fix looks good.

#4 @ryan
15 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

(In [4559]) Enforce edit_users cap for users.php. Props westi. fixes #3410

Note: See TracTickets for help on using tickets.