WordPress.org

Make WordPress Core

Opened 16 years ago

Closed 16 years ago

Last modified 4 years ago

#75 closed defect (bug) (fixed)

security related user level problem

Reported by: Ihad Owned by: matt
Milestone: Priority: normal
Severity: major Version:
Component: Administration Keywords:
Focuses: Cc:

Description

it is undesirable to let any user but the site admin see the database login and password info.

I suggest to add the following line to templates.php in wp-admin directory:
line 18:
if (stristr($file, 'config') &amp;&amp; $user_level < 10)
die(('<p>You do not have sufficient permissions to edit config files for this blog.</p>'));

I chose stristr since it is case insensitve.

Attachments (3)

0000075-templates.2.php (6.1 KB) - added by Ihad 15 years ago.
0000075-templates.php (6.1 KB) - added by Ihad 15 years ago.
wp-admin-templates-protect-config.patch (714 bytes) - added by Ihad 15 years ago.

Download all attachments as: .zip

Change History (9)

#2 @Ihad
16 years ago

addendum: i added the if clause at the wrong spot. the second file is the correct one.
add:
---
if (stristr($file, 'config') && $user_level <= 9) {

die(('<p>You do not have sufficient permissions to edit config files for this blog.</p>'));

}

---
at line 87 under require_once('admin-header.php'); in teh default: section

cheers
ai

#3 @Froosh
16 years ago

Directly related to bug #69 (Almost a duplicate except this is really a patch for it...)

#4 @Froosh
16 years ago

Added and actual patch against current CVS (2004-12-08)

#5 @2fargon
16 years ago

  • Patch set to Yes
  • Status changed from new to assigned

#6 @matt
16 years ago

  • fixed_in_version set to 1.3
  • Owner changed from anonymous to matt
  • Resolution changed from 10 to 20
  • Status changed from assigned to closed

This ticket was mentioned in Slack in #core-fields by tlovett1. View the logs.


4 years ago

This ticket was mentioned in Slack in #core-fields by tlovett1. View the logs.


4 years ago

Note: See TracTickets for help on using tickets.