[wp-trac] Re: [WordPress Trac] #7277: page_options doesn't work for
plugin pages
WordPress Trac
wp-trac at lists.automattic.com
Sun Jul 20 10:50:48 GMT 2008
#7277: page_options doesn't work for plugin pages
---------------------+------------------------------------------------------
Reporter: Mr Pete | Owner: anonymous
Type: defect | Status: reopened
Priority: normal | Milestone:
Component: General | Version:
Severity: normal | Resolution:
Keywords: |
---------------------+------------------------------------------------------
Comment (by donncha):
There is an incompatibility but it exists because of a serious hole in MU
security. Alex Concha showed that on an MU site any blog admin could
change any blog option just by passing the correct list of options and the
generic nonce. The admin could change the list of plugins which would
allow them to upload a file and add that file to the plugin list (as
happened in the most recent round of attacks on WP blogs).
When I added the whitelist to MU I presumed it would end up in WordPress
too but I forgot to add a ticket here to discuss those changes.
It's not really an issue for WordPress as the local admin has access to
everything anyway. Is it worth discussing merging the whitelist code into
WordPress?
--
Ticket URL: <http://trac.wordpress.org/ticket/7277#comment:4>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list