[wp-trac] [WordPress Trac] #6908: Creating new users role - a
security risk?
WordPress Trac
wp-trac at lists.automattic.com
Sun May 4 01:16:10 GMT 2008
#6908: Creating new users role - a security risk?
-----------------------------+----------------------------------------------
Reporter: CrazySerb | Owner: anonymous
Type: defect | Status: new
Priority: highest omg bbq | Milestone:
Component: Security | Version: 2.5.1
Severity: major | Keywords: user roles, group levels
-----------------------------+----------------------------------------------
Ok, I've noticed that when Users with roles less than an Administrator
(and if allowed to Create/Edit/Delete users defined in Role Manager
(plugin) are able to:
- list all users (which is a bit insecure, as I would expect them to be
able only to list users in levels up to their level, not above, like
admins)
- edit/delete all users (which is even more insecure, as this way they can
simply "upgrade" any of the existing users to admins with no problem)
- add new users with any roles assigned to them, even administrator role.
Could that be fixed, so that users in group with a level of 7 can't see
any of the other groups above level 7, and can't create new/edit existing
users and assign them any role higher than 7, for example?
Otherwise, this is a major security risk for anyone allowing any users in
groups less than administrator to administer other users.
--
Ticket URL: <http://trac.wordpress.org/ticket/6908>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list