Ticket #4422 (closed defect: fixed)

Opened 1 year ago

Last modified 1 year ago

Anyone can delete attachments

Reported by: xknown Assigned to: rob1n
Priority: high Milestone: 2.2.1
Component: Security Version: 2.2
Severity: critical Keywords: has-patch commit
Cc:

Description

An unregistered user can delete attachments through xmlrpc request: 

<methodCall>
  <methodName>wp.uploadFile</methodName>
  <params>
    <param><value>1</value></param>
    <param><value>1</value></param>
    <param><value>1</value></param>
	<struct>
		<member><name>name</name><value>attachement_name</value></member>
		<member><name>overwrite</name><value>1</value></member>
	</struct>
  </params>
</methodCall>

I'll submit a partial fix -- I think that an user should only delete their own uploaded files.

Attachments

xmlrpc.php.patch (0.8 kB) - added by xknown on 06/08/07 14:49:57.
Move user validation before attachment deletion
4422.diff (1.4 kB) - added by rob1n on 06/08/07 14:58:50.
xmlrpc.php-diff (1.7 kB) - added by josephscott on 06/08/07 16:59:04.

Change History

06/08/07 14:49:57 changed by xknown

  • attachment xmlrpc.php.patch added.

Move user validation before attachment deletion

06/08/07 14:50:58 changed by rob1n

  • keywords set to has-patch.

Looks good to me, but I'm not an XML-RPC guru.

06/08/07 14:58:50 changed by rob1n

  • attachment 4422.diff added.

06/08/07 16:22:38 changed by foolswisdom

  • owner changed from anonymous to josephscott.
  • priority changed from normal to high.
  • severity changed from normal to critical.

06/08/07 16:59:04 changed by josephscott

  • attachment xmlrpc.php-diff added.

06/08/07 17:00:51 changed by josephscott

My diff pushes the overwrite feature even further down, to just before the upload gets saved.

06/08/07 17:02:59 changed by rob1n

  • keywords changed from has-patch to has-patch commit.
  • owner changed from josephscott to rob1n.
  • status changed from new to assigned.

06/08/07 17:06:58 changed by rob1n

  • status changed from assigned to closed.
  • resolution set to fixed.

(In [5670]) Check the user before overwriting the attachment. Props xknown and Joseph Scott. fixes #4422

06/08/07 17:07:59 changed by rob1n

(In [5671]) Check the user before overwriting the attachment. Props xknown and Joseph Scott. fixes #4422

06/08/07 17:08:48 changed by rob1n

  • milestone changed from 2.2.2 to 2.2.1.