WordPress.org

Make WordPress Core

Opened 6 years ago

Closed 6 years ago

#6908 closed defect (bug) (duplicate)

Creating new users role - a security risk?

Reported by: CrazySerb Owned by:
Milestone: Priority: normal
Severity: normal Version: 2.5.1
Component: Security Keywords: user roles, group levels
Focuses: Cc:

Description

Ok, I've noticed that when Users with roles less than an Administrator (and if allowed to Create/Edit/Delete users defined in Role Manager (plugin) are able to:

  • list all users (which is a bit insecure, as I would expect them to be able only to list users in levels up to their level, not above, like admins)
  • edit/delete all users (which is even more insecure, as this way they can simply "upgrade" any of the existing users to admins with no problem)
  • add new users with any roles assigned to them, even administrator role.

Could that be fixed, so that users in group with a level of 7 can't see any of the other groups above level 7, and can't create new/edit existing users and assign them any role higher than 7, for example?

Otherwise, this is a major security risk for anyone allowing any users in groups less than administrator to administer other users.

Change History (3)

comment:1 follow-up: Otto426 years ago

  • Milestone set to 2.7
  • Priority changed from highest omg bbq to normal
  • Severity changed from major to normal

Allowing users to edit users higher than themselves does indeed not make much sense, however the user level number idea is deprecated/not used anymore. Perhaps some way to define an order on the Roles, thus allowing it to determine which roles are above other roles?

comment:2 in reply to: ↑ 1 DD326 years ago

Replying to Otto42:

Allowing users to edit users higher than themselves does indeed not make much sense, however the user level number idea is deprecated/not used anymore. Perhaps some way to define an order on the Roles, thus allowing it to determine which roles are above other roles?

This was discussed on another ticket/mailing list, i cant remember where.

The idea which was suggested that made most sense to me was that users should not be able to create a user with a capability they themselves do not have, so if they do not have the manage_options capability, they should not be able to create a user who would have the manage_options cap. And a similar route for editing users.

comment:3 pishmishy6 years ago

  • Milestone 2.7 deleted
  • Resolution set to duplicate
  • Status changed from new to closed

It was discussed in #6014, which is identical in principal to this ticket.

To repeat myself, we shouldn't be imposing any ordering on roles:

  • An order would be equivalent to the user level numbers (albeit with different labels). We moved away from this.
  • We'd never agree on a default ordering (we leave such things to plugins if desired by the user).

Problems arise because people aren't informed of the true extent of 'edit_users' capability. I suggested that the authors of plugins who allow users to mess with capabilities should make it very clear to their users. I still don't believe it's a WordPress issue (although we could look at improving our documentation), but I'll hold off closing the other ticket for risk of upsetting too many people :-)

Note: See TracTickets for help on using tickets.