[wp-trac] [WordPress Trac] #10692: Do not allow unfiltered uploads for admins by default
WordPress Trac
wp-trac at lists.automattic.com
Wed Aug 26 22:56:13 UTC 2009
#10692: Do not allow unfiltered uploads for admins by default
--------------------------+-------------------------------------------------
Reporter: ryan | Owner: ryan
Type: defect (bug) | Status: new
Priority: normal | Milestone: 2.9
Component: Security | Version:
Severity: normal | Keywords: upload
--------------------------+-------------------------------------------------
When someone compromises an admin account, often one of the first things
they do is upload some .php files. This is allowed because admin users
have the unfiltered_upload capability. Perhaps this should be disallowed
by default, with a wp-config define enabling it again. With this
disallowed and all write permissions on files locked down, adding
arbitrary code is much harder even when an admin account is compromised.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/10692>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list