[wp-testers] Upgrade 2.0.2 to 2.0.4
Viper007Bond
lists at viper007bond.com
Sun Jul 30 10:22:08 GMT 2006
Robert Deaton wrote:
> On 7/29/06, Viper007Bond <lists at viper007bond.com> wrote:
>> As for that supposed security issue, it's kinda a "dur". I mean, of
>> course there are going to be problems if you allow users to register and
>> have it set to auto-promote them to an admin or something like that.
>> That's not an exploit, that's just stupidity.
>
> Uhm, the security issue is that WordPress didn't properly validate
> plugin page caps for unprivledged users, meaning someone with
> absolutely no caps could access plugin pages that may let them take
> over the blog, depending on the plugin.
Oh, whoops, guess I didn't read the URL well enough.
And isn't that the fault of bad plugin coding, not WordPress' fault? I
mean, as a plugin coder, I check the current user's permissions when
doing important things.
> No matter how small the corner case, don't publically discount the
> validity, people need to upgrade, and when they don't because someone
> told them the vulnerability which their blog was taken down through
> was a joke, we'll never hear the end of it.
Oh, no, I wasn't saying people don't need to upgrade. Far from it -- I'm
getting all of my friends to run the latest version. :)
-Viper
More information about the wp-testers
mailing list