security hole in wordpress-admin-bar under WPMU?

I just tried logging into ucalgaryblogs.ca using a test user account, and was surprised to see a strange item in the admin bar at the top of the page:

wordpress-admin-bar-security-hole

I was curious, so I clicked it.

wordpress-admin-bar-security-hole-menu

mwah? Those are site-admin items, being displayed to a non-admin user. I was actually able to click the “Admin Message” item to set that, even though the logged in user wasn’t an admin. Scary. Luckily, nobody’s noticed the extra menu yet – or if they have, they’ve behaved.

I poked around in the wordpress-admin-bar.php file to see if I could plug the hole. I have no idea if this is the right way, but I’ve added this bit:

} else {
    if ($menu[0]['title'] === null)  continue; // this is the line I added
    echo '                  <li class="wpabar-menu_';
    if ( TRUE === $menu[0]['custom'] ) echo 'admin-php_';

It’s down around line 320 or so. It’s probably not the correct or most reliable way to strip that menu from non-admin-users’ version of the admin bar, but it worked. Here’s the result:

wordpress-admin-bar-security-hole-fixed

Has anyone else seen the extra menu? Could it have just been a freak thing only on my WPMU install, or is this a wide open potential security problem in the shipping wordpress-admin-bar.php file? It was written for non-WPMU WordPress, so it’s quite possible it just doesn’t grok the different types of users in WPMU.

3 thoughts on “security hole in wordpress-admin-bar under WPMU?”

  1. yeah, I figured it was probably just the plugins not calling a hook or something, but it’d be safer to just yank the whole site-admin menu for non-admins, just in case a renegade plugin author forgets to do that coughthemestatspluginahem ;-)

  2. I’ll have to check–I assume it would be the case if Andrea noticed it too, but I don’t see it in my installation because I am using the WPMU Menu plugin and have disabled many menus options to simplify the interface. Alternatively, you could disable the top menu bar.

    Of course, your hack appears to work!

    Nice job spotting that!

Comments are closed.


The spammers win. I've disabled comments. Again. It's just not worth having to deworm my site from the inane autospam jabber that trickles through the spam filters. Sorry. I can be contacted via the Contact form here on the site, or out on the internets (I'm @dlnorman on twittar).

BUT I WANT TO POST A COMMENT HERE. WITNESS THE OPPRESSION INHERENT IN THE SYSTEM.

If you need to post a response, trackbacks are enabled and will be displayed normally.

The Trackback URL for this post is:
http://darcynorman.net/2009/02/23/security-hole-in-wordpress-admin-bar-under-wpmu/trackback/