[wp-hackers] Critical WP Flaw?
Ryan Boren
ryan at boren.nu
Thu Jul 27 10:03:31 GMT 2006
Joey B wrote:
> On 7/27/06, Ryan Boren <ryan at boren.nu> wrote:
>> <snip>
>> Plugins need to be sure to put current_user_can() checks wherever access
>> control is needed. I think some authors were assuming that WP checks
>> for them. It does not. WP doesn't know what user level/capability the
>> various parts of a plugin require. An audit of plugins shows that some
>> plugins have been making this assumption for a long, long time.
>
> Saying so here won't make much of a dent in changing that. I've never
> heard of current_user_can(), either, along with, apparently, a lot of
> other plugin devs. This would lead me to believe there is a failure in
> documentation which should probably also be addressed along with this
> security vulnerability, if this is so important.
If you're relying on the cap/level check provided when you register a
menu/submenu, that will cover most plugins. There is indeed a bug in
2.0.3 that breaks this check in some cases. 2.0.4 beta fixes this. If
you don't register a menu and don't do a level or cap check, your plugin
is vulnerable.
Personally, I never really meant the menu cap check to be relied upon
quite so heavily. It was offered as a convenience thing for simple
plugins. I use current_user_can() in my plugins.
current_user_can() is the heart of the capability system.
http://codex.wordpress.org/Roles_and_Capabilities
Looks like we need to do a better job of documenting with regard to
plugin development.
Ryan
More information about the wp-hackers
mailing list