Do the 2.5 - 09/01/04 patches fix the display admin exploit?

Posted: Mon Sep 13, 2004 9:18 am

Do the 2.5 - 09/01/04 patches fix the security hole that allows the following script to display the admins? Fortunately, I have HTTP Authentication Using PHP CGI and Apache on my sites which is another layer of security that the above script cannot defeat easily.

Posted: Mon Sep 13, 2004 9:44 am

Have not tested that but 2.6 does, you won't be able to view the admins or perform the other authors.php functions if not logged in as an admin, if you are using 7.5 test it by logging out as admin and then running that hack, you should be asked to login after you click the display button, let me know how it goes, hopefully i will be updating the patches to 2.6 if nothing else is reported.

Posted: Mon Sep 13, 2004 9:57 am

I tested it on my 7.5 site, and it did bring up the pop up Login box

Posted: Mon Sep 13, 2004 11:30 am

I'm under the impression that what is meant to happen with this hack is that site admins that would normally not be able to perform these actions can because of a faulty access check so i will run some tests with that in mind, if that is the case then i will edit the file so that only the superuser gets access, the check at the start of the file does not seem to be doing the job for whatever reason.

Posted: Mon Sep 13, 2004 11:46 am

Nope, created a new admin, gave it access to several modules, logged in as him, ran the script and got a Access Denied message.