Tenacious Creations

(This has been fixed by WordPress -
Click Here to read more)

 You don’t need a crystal ball to see what is going to be posted in the future on your favorite blog. At least you don’t need the crystal ball if the author has edited the time stamp to post date it.

 Now if you follow Bug Traq or Security Focus you already know about this bug since it came out around December 14 2007. But for those of you who may not be technically minded when it comes to how your favorite word press sites work let me try and explain what this exploit does.

 When I write a post in Word Press I have the option to edit the time stamp. The time stamp defaults to the current time of your server. But lets say I want this post which I am writing on December 26 to be published on December 28. I go and check edit Time stamp in word press and change the time time to be that of when I want this published. Now when I click the publish button the post will not be posted until the date and time I specified. Many bloggers use this feature. Some use it while they are away on holidays, some just use it because they don’t want too many posts posting all in one day.

 So where is the exploit - well rather than mean writing in detail about you can read the details at Securtiyfocus.com. It does not allow the malicious user to change anything, all they are able to do is view posts that are not yet posted. Its real simple to do just type this in your browser (or click on it) - http://www.tenaciouscreations.com/?x=wp-admin/&paged=1. Now if I have any posts that have yet to be published you’ll be able to see them. If I don’t you’ll just go to the main page.

 This can be used on any blog that is running word press. For example (replace myfavoriteblog.com with the site address of the wordpress site you want to use this on) Http://www.myfavoritebloghere.com/?x=wp-admin/&paged=1. The important part here is the ?x=wp-admin/&paged=1, if you add that to the url of the word press site you want to look into the future of it will work (at least until a patch is made). Some sites say that if search engine friendly urls are turned on it will not work. However I have found this not to be true. Word Press only changes the URL to a search friendly one after it has been published to the main site at the time it was intended to be.

 Now this bug is considered not to be dangerous. For the most part I guess it is. But what if your a company who uses word press and you have an important announcement of new product timed to be published at midnight. Your competitor finds your post using this method and leaks the information. That’s probably not that good, but I think if your worked the publicity right you could turn it around to be something really good! In fact you could use it to draw a lot of traffic to your site.

 In my case if you are reading my posts early, I don’t think it is too terrible of a thing. At least your reading them ;).

If you enjoyed this post, make sure you subscribe to my RSS feed!