[wp-hackers] Moved from BlogWare to WordPress - Need Help
Mark Jaquith
mark.wordpress at txfx.net
Sat May 20 09:55:39 GMT 2006
On May 20, 2006, at 5:39 AM, Chris Pirillo wrote:
> On the backend of the plugin, the /wp-config, and the
> /wp-admin/admin.php scripts are included in the main script. If the
> person
> trying to edit a post isn't an admin, and isn't logged in, then the
> backend
> scripts will not work. There is no way around it.
Would rather not outline exactly how to get around it on a public
forum... but the way I read the code, there is more than one way
around it, and the damage might not be limited to vandalism on a post-
by-post basis... I see a possible SQL injection point.
I'll contact Sean directly, but I'd advise disabling the plugin in
the meantime.
--
Mark Jaquith
http://txfx.net/
More information about the wp-hackers
mailing list