• I am having a problem with a security scan from Security Metrics that is saying the is_admin() function in wp_includes/query.php does not properly check for administrative credentials and will allow specific attacks to view all posts marked “future”, “draft”, “pending”.

    However, I am having multiple problems. The first of which is when I look in query.php I can’t find the is_admin() function defined anywhere in the file. Is this function defined somewhere else now?

    The second is any documentation I find on this issue is from like 2 years ago? Does anyone know what exactly the deal is. All I got from the tech support over there is I should delete the query.php file which clearly will not work.

    Any help I can get would be great.

Viewing 6 replies - 1 through 6 (of 6 total)
  • is_admin is defined in wp-settings.php (which is in the root WP folder).

    With regard to whether this is a genuine security concern or not, you could try running a search on Trac to see if it’s been brought up previously and either dealt with or closed as a non-issue.

    Your final option if you feel that this is of real concern is to contact security at www.ads-software.com but please do try to provide as much detailed information as you can.

    Thread Starter jdmanci7

    (@jdmanci7)

    Thanks, saved me hours of looking.

    Overall the problem isn’t up to me. Basically my website also has e-commerce in which the credit card merchant has decided all companies to be compliant with a security company, in this case Security Metrics standards.

    When they scan the website, they come up with an issue that they consider not up to their standards of security for websites that do e-commerce and process credit cards.

    The problem is they are saying that the query.php file is creating a situation in which the is_admin() function returns true to a particular URL, which allows said person to view all messages, whether or not they are considered drafts, future, or pending.

    There is a trac for it:
    https://core.trac.www.ads-software.com/ticket/5487

    and this leads to another page:
    https://www.securityfocus.com/archive/1/485252/30/0/threaded

    and this posting:
    https://www.blackhatdomainer.com/how-to-know-today-what-shoemoney-is-going-to-post-tomorrow

    Now these are like 2 years old. I haven’t been using WordPress long enough to know whether or not the is_admin() has changed.

    Did WordPress ever update in the last two years to block this? Or have they just left it up to the user to apply the patch described in the trac if they don’t want people peaking on their future posts.

    Oh and how this effects credit card processing and why a security company considers this a level 4 out of 8 threat and thus not compliant beats me, lol.

    This issue was fixed in WordPress 2.3.2 as can be seen from the ticket.

    If you are running the latest version then you should be protected against this.

    Hi,

    We are experiencing the same issue. We are running WordPress 2.9.2 but Security Metrics is still failing us because of:
    Synopsis : The remote web server contains a PHP application that is affected by an information disclosure issue. Description : The version of WordPress on the remote host does not properly check for administrative credentials in the ‘is_admin()’ function in ‘wp-includes/query.php’. Using a specially-crafted URL that contains the string ‘wp-admin/’, an attacker may be able to leverage this issue to view posts for which the status is classified as ‘future’, ‘draft’, or ‘pending’, which would otherwise be available only to authenticated users. See also : https://www.securityfocus.com/archive/1/4 85160/30/0/threaded https://trac.www.ads-software.com/ticket/5487 Solution: Unknown at this time.

    Help please!

    Mitchell_T

    (@mitchell_t)

    You may have figured this out by now, but this may help others.

    I had the same issue with SecurityMetrics and was running WordPress v3.0.1 which was the recommended version to be on. Still failed the SecurityMetrics scans. I found a post someplace mentioning to suppress the WordPress meta “generator” tag which announces the WordPress version in the document head of each page.

    So, I made a change to \wp-includes\general-template.php, setting $gen=''; below line 2200, saved the file, uploaded and rescanned to get a passing grade the next day.

    Cheers –
    Mitchell_T

    geilt

    (@geilt)

    Mitchell_T, what fortunate luck I came across your post 11 seconds after you wrote it, and amazing that Google Indexed it so fast too!

    I have changed $gen to ” myself and am running a security metrics PCI Compliance scan yet again, it kept thinking my WordPress version was 1.2 when it is 3.0.1!

    I am hoping this fixes it.

    Thanks again.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Can’t find is_admin() function in query.php’ is closed to new replies.