About WordPress link in update email while Hide Backend is enabled

  • nlpro

    (@nlpro)


    4 years, 12 months ago

    @timothyblynjacobs

    When not authenticated in the browser (and the Hide Backend cookie has expired), clicking on the About WordPress link in the email below results in a 404 – not_found (or 403 – This has been disabled) when the Hide Backend module is enabled:

    [iTSec Testenv] Your site has updated to WordPress 5.7.2

    Howdy! Your site at http://www.example.com has been updated automatically to WordPress 5.7.2.

    No further action is needed on your part. For more on version 5.7.2, see the About WordPress screen:
    http://www.example.com/wp-admin/about.php

    If you experience any issues or need support, the volunteers in the WordPress.org support forums may be able to help.
    https://wordpress.org/support/forums/

    You also have some plugins or themes with updates available. Update them now:
    http://www.example.com/wp-admin/

    The WordPress Team

    The http://www.example.com/wp-admin/about.php link in the email above is generated using:

    admin_url( 'about.php' )

    Even though the Hide Backend module hooks into the admin_url filter, the hooked callback doesn’t check for the about.php value in the $path arg.

    The callback code can easily be adapted, but it will result in adding the itsec-hb-token url parameter for every admin_url( ‘about.php’ ) call … (WordPress core currently includes only one such call, but plugins and themes can include it too).

    Another thing is that when WordPress core generates the about.php link it doesn’t know whether the link (from the email) will work as is, or whether it needs the itsec-hb-token url parameter for it to work.
    That means the itsec-hb-token url parameter might be added/exposed unnecessarily. It’s kind of sensitive info and we don’t know where these type of generated links end up. See my dilemma ?

    Anyway very interested in your opinion 😉

    Below the link that IMHO would work under any condition:

    http://www.example.com/wp-admin/about.php?itsec-hb-token=mytoken

    Oh, I also tried http://www.example.com/mytoken/about.php but that results in a “File not found” message, which probably makes sense …
    Or should it redirect to the working url above ?

    Web server – nginx/1.18.0
    PHP version – 7.4.15

Viewing 2 replies - 1 through 2 (of 2 total)
  • Thread Starter nlpro

    (@nlpro)

    4 years, 12 months ago

    On second thought, this isn’t any different than the change email link in the confirmation request email when a change of user email address is attempted.

    The Hide Backend module already hooks into the admin_url filter and checks whether the value of the $path arg starts with ‘profile.php?newuseremail=’. If so the hide backend url parameter is added to the url. The $path arg value checked for is a bit more specific in this case, but other than that it’s exactly the same situation.

    To resolve the (possibly) failing about.php link in the core update email please add another condition to the filter_admin_url() callback like this:

    if ( 0 === strpos( $path, 'profile.php?newuseremail=' || 'about.php' === $path ) ) {

    😉

    Thread Starter nlpro

    (@nlpro)

    4 years, 11 months ago

    Correction:

    if ( 0 === strpos( $path, 'profile.php?newuseremail=' ) || 'about.php' === $path ) {

    😉

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘About WordPress link in update email while Hide Backend is enabled’ is closed to new replies.