security hole in wordpress-admin-bar under WPMU?

I just tried logging into using a test user account, and was surprised to see a strange item in the admin bar at the top of the page:


I was curious, so I clicked it.


mwah? Those are site-admin items, being displayed to a non-admin user. I was actually able to click the “Admin Message” item to set that, even though the logged in user wasn’t an admin. Scary. Luckily, nobody’s noticed the extra menu yet – or if they have, they’ve behaved.

I poked around in the wordpress-admin-bar.php file to see if I could plug the hole. I have no idea if this is the right way, but I’ve added this bit:

} else {
    if ($menu[0]['title'] === null)  continue; // this is the line I added
    echo '                  <li class="wpabar-menu_';
    if ( TRUE === $menu[0]['custom'] ) echo 'admin-php_';

It’s down around line 320 or so. It’s probably not the correct or most reliable way to strip that menu from non-admin-users’ version of the admin bar, but it worked. Here’s the result:


Has anyone else seen the extra menu? Could it have just been a freak thing only on my WPMU install, or is this a wide open potential security problem in the shipping wordpress-admin-bar.php file? It was written for non-WPMU WordPress, so it’s quite possible it just doesn’t grok the different types of users in WPMU.

3 thoughts on “security hole in wordpress-admin-bar under WPMU?”

  1. yeah, I figured it was probably just the plugins not calling a hook or something, but it’d be safer to just yank the whole site-admin menu for non-admins, just in case a renegade plugin author forgets to do that *cough*themestatsplugin*ahem* 😉

  2. I’ll have to check–I assume it would be the case if Andrea noticed it too, but I don’t see it in my installation because I am using the WPMU Menu plugin and have disabled many menus options to simplify the interface. Alternatively, you could disable the top menu bar.

    Of course, your hack appears to work!

    Nice job spotting that!

Comments are closed.