[wp-trac] [WordPress Trac] #14578: Security issue after plugin deactivation (by accidentally creating administrators)
WordPress Trac
wp-trac at lists.automattic.com
Tue Aug 10 10:00:29 UTC 2010
#14578: Security issue after plugin deactivation (by accidentally creating
administrators)
--------------------------+-------------------------------------------------
Reporter: Ivolution | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version: 3.0.1
Severity: major | Keywords: plugin, administrator, security
--------------------------+-------------------------------------------------
Take these steps:
1. Activate a plugin that creates role on activation. For example, it
calls "add_role( 'photo_uploader', 'Photo Uploader', array( 'read')
);"[[BR]]
2. In General Settings, set the Default User Role to this new role, 'Photo
Uploader'.[[BR]]
3. Deactivate the plugin, removing the roles: "remove_role(
'photo_uploader');"[[BR]]
4. In General Settings, the Default User Role now displays
'Administrator'. (In the database, it still says 'photo_uploader'.)[[BR]]
5. When creating a new user (as admin), the role dropdown-box now displays
'Administrator' as role for this new user. This new user _will_ have role
'Administrator' if an unsuspecting admin does not explicitly alter the
role in the dropdown-box.[[BR]]
This way, an unsuspecting adminstrator might accidentally create new
admins for his blog.
I have also tested this for new users registering themselves. Fortunately,
they are assigned the role 'None', not 'Administrator'.
Greetings,
Ivo van der Linden[[BR]]
(employee of LaQuSo @ Eindhoven University of Technology)
--
Ticket URL: <http://core.trac.wordpress.org/ticket/14578>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list