Robert Deaton wrote:
On 7/29/06, Viper007Bond <[EMAIL PROTECTED]> wrote:
As for that supposed security issue, it's kinda a "dur". I mean, of
course there are going to be problems if you allow users to register and
have it set to auto-promote them to an admin or something like that.
That's not an exploit, that's just stupidity.
Uhm, the security issue is that WordPress didn't properly validate
plugin page caps for unprivledged users, meaning someone with
absolutely no caps could access plugin pages that may let them take
over the blog, depending on the plugin.
Oh, whoops, guess I didn't read the URL well enough.
And isn't that the fault of bad plugin coding, not WordPress' fault? I
mean, as a plugin coder, I check the current user's permissions when
doing important things.
No matter how small the corner case, don't publically discount the
validity, people need to upgrade, and when they don't because someone
told them the vulnerability which their blog was taken down through
was a joke, we'll never hear the end of it.
Oh, no, I wasn't saying people don't need to upgrade. Far from it -- I'm
getting all of my friends to run the latest version. :)
-Viper
_______________________________________________
wp-testers mailing list
[email protected]
http://lists.automattic.com/mailman/listinfo/wp-testers
