How to know today what ShoeMoney is going to post tomorrow

Posted by k | Posted in Uncategorized | Posted on 21-12-2007

Yes, I must admit, this is a linkbait post. As you can see, this blog doesn’t have ads, I am not about the money, but I like the fame. So, here goes a very funny WordPress trick.

There is a vulnerability in WordPress that makes use of a known feature called “Post Timestamp”, meaning you can write a post and set a posting date into the future; the post will only be displayed at that time.

The vulnerability, first released by Michael Brooks, also reported a while ago on Bugtraq and today on XSS news, allows you to see “future posts”, posts that are not yet ready for posting. This means you can know the future of your preferred blog.

And it works. For instance, tomorrow, ShoeMoney is going to post about UFC 79 Nemesis Matt Hughes VS George St Pierre.

http://www.shoemoney.com/?x=wp-admin/&paged=1

Update: Problogger is even funnier, with post for the 23th, 24th and the “Best of ProBlogger – 2007″ on the 25th. LOL.

Comments (26)

  1. Very, very nice. I need to start reading BugTraq more.
    You should get yourself a sphinn avatar so your posts stick out more; I almost missed this one.

  2. See the simple way to avoid this is to be totally disorganised and have no forward planning looks like I’m safe then :D

  3. Nice find. What you should have done is copy & pasted his article here first, and when he posted his start shouting about being ripped off and ride the Digg/Sphinn train to fortune and glory.

    Now that would be black hat :)

  4. @Brendan
    I like the way you think!

  5. That’s such a bizarre bug. I’m stunned that WordPress has such a glaring vulnerability.

    Darren and Shoe must be kicking themselves, especially Darren who regularly advises people to schedule posts for launch.

  6. The flux capacitor of WordPress. Very nice.

  7. This issue is resolved in the soon to be released WordPress 2.3.2 (2.3.2-beta2)

  8. Heh just so you know, there’s some shit who duped your post, spun a bunch of accounts, and started running it up sphinn.
    imakemoneyhoney.blogspot.com/2007/12/how-to-know-what-shoemoney-is-going-to.html
    just givin ya a head’s up.

  9. Thanks SlightlyShadySEO!

  10. [...] [via Black Hat Domainer] [...]

  11. neat trick! spun

  12. Np.
    If you feel like it, you can probably get his entire feedburner account torched at http://www.feedburner.com/fb/a/contact
    hmm I wonder if he keeps other more legit blogs on there…

  13. [...] ticket 在 query.php mistakenly uses is_admin() to check for admin privileges 這篇,而有人直接寫成實戰:How to know today what ShoeMoney is going to post tomorrow。 [...]

  14. [...] El problema radicaba en una comprobación de usuario en el fichero wp-includes/query.php, en el que daba por supuesto que eras administrador si encontraba wp-admin/ en la URL del navegador, siendo sensible a situaciones como estas: [...]

  15. WordPress Future Draft expose – WordPress 2.3.2 Upgrade…

    More info with the latest version can be found at WordPress development blog.
    The draft vulnerability is funny thought. Read it all at BlackHat Domainer. Nice catch .
    ……

  16. [...] El problema radicaba en una comprobación de usuario en el fichero wp-includes/query.php, en el que daba por supuesto que eras administrador si encontraba wp-admin en la URL del navegador, siendo sensible a situaciones como estas: [...]

  17. [...] The bug has highlighted how easily you could read what ShoeMoney or Problogger is going to post tomorrow! Simply modify the url below and behold the bug for any blog … http://www.yourblogname.com/?x=wp-admin/&paged=1 I tried it on my blog and was unable to see any future posts because I use search engine friendly permalinks and this bug fails on them. [...]

  18. Owned, great find. I read it on trac. This could be a serious “Hole” in wordpress. Others could steal your whole stories and make claimed without looking back.

    ho ho ho happy new year.

  19. [...] It’s time for another update! WordPress 2.3.2 security patch has been released. 2.3.2 fixes some serious bugs including the one which reveals your blog’s draft post to outsiders. Folks from WordPress call it as an “urgent security release”, so you better not skip this update. [...]

  20. [...] In November of 2006 I noted how much fun it might be to read “draft” WordPress blog posts of competitors. Forteen months later, we read this and this and this. Good thing I deleted my Lupins post. Topical Tags: [...]

  21. [...] some serious bugs including the one that reveals a wordpress blog’s draft posts to the world.This post exposed the vulnerability..But some wordpress bloggers say that this leak happens on wordpress [...]

  22. [...] before it was published.  Apparently, someone went poking around in Shoemoney’s blog and found out what he was going to post the following day. [...]

  23. [...] bugtraq post the reddit comments a trivial exploit the svn diff for the patch the wordpress trac [...]

  24. [...] posting date so that the post will only be displayed at that time; were facing this serious threat. Anyone can see their “future posts”, posts that are not yet published but saved as [...]

  25. who care about this? :D

  26. This is what we call “Awesome”. The real Guru are teaching about all of is knowlege and not keep and hide it from newbies. Thanks for your sharing.

Post a comment