user_edit.php vulnerable: User can spy out metadata of other users

I can't reproduce this.

You can edit/see your own profile this way but otherwise the edit_users cap check blocks you from editing someone else.

That could be another bug.

The whole story: user-edit didn't work on my wordpress-blog www.poplog.de. Tried to edit users other than mine, but always I got the edit-form for my user though I'm the admin. Checked the code of user-edit.php and saw that there are two variables in use: $user_id (ID of the user to edit) and $user_ID (ID of the user looged in = in this case: admin-ID = 1) The values of both were 1 irrespective the value of user_id in the query string. Maybe configuration of PHP is the reason for this. PHP on this server doesn't work case sensitive. Therefore I found the bug described above.

Hi adapter, I have not heard of PHP that is not case sensitive for variables. What PHP are you running?

Thanks foolswisdom. You're right. This bug was caused by my-hacks.php. In one of my blogs I've implemented a user-tracking-functions and there I'm using $user_id for the ID of the user logged in. Sorry!

But I'm running several installations of wordpress, some of them without any changes and in all of them you can spy out user-data.

But it's easy to patch: Add this line of code in line 71 of user-edit.php:

<?php if (!current_user_can('edit_users')) { include('admin-footer.php'); die(); } ?>

Hi Adapter,

Thank you for participating in WordPress!

Please do not mark bugs as FIXED. That is done when a fix is checked into the official source tree.

Please try to be as concise as possible. For example when you say "this bug" I do not know if you are referring to the originally reported problem or, my guess, what you thought was causing the "case insensitivity".

Please do not attach files, but attach a diff.

ENV: WP 2.0.4

Using 2 "subscribers", I have not been able to reproduce the problem you describe.

Below "You do not have permission to edit this user." the users *own* data is displayed. I think this experience is a bit awkward (and a new bug could be created), but this is not the bug you describe.

Closing as WORKSFORME. adapter please update with detailed steps if have reproducible scenario on clean install.

That's strange.

Yesterday I downloaded the current release WP 2.0.4 and installed it here: http://test.poplog.de. There you can register, log in and call http://test.poplog.de/wp-admin/user-edit.php?user_id=1. You will see admin's data.

Hmm - I can now reproduce this both on your test blog and my test 2.0.4 install.

I believe this affects 2.0.4 and 2.1 so is a candidate for a fictional 2.0.5 as a security release.

I'm attaching patches for 2.0.x and trunk.

Fix for 2.0.x

Fix for trunk

(In [4216]) Don't show user form without privs. Props westi. fixes #3142

Thanks Adapter. I can also now confirm the bug -- also not sure what I was doing before. Thank you for your patience and sticking with it.

I have also verified the fix.

(In [4244]) Don't show user form without privs. Props westi. fixes #3142

Milestone 2.0.5 deleted