Ticket #12 (closed defect: fixed)
User Access To Espir!t Picasa Settings
| Reported by: | accountantbyday@… | Owned by: | ady |
|---|---|---|---|
| Priority: | critical | Milestone: | wp-esprit-picasa-0.0.3 |
| Component: | WP ESPR!T Picasa | Keywords: | |
| Cc: |
Description
Just a heads up on something that seems to be a fairly serious security issue with this plugin:
I noticed that when they are logged into their dashboard, non-administrators have the ability to view and change the settings for this plugin through the Settings section on the left sidebar. So any person who registered as a commenter, who shouldn't have permissions beyond being able to read posts, is now able to view/change the administrator's Picasa ID as well as the preferences for image dimensions. Basically on this plugin they have the same capabilities that an administrator does.
Change History
Note: See
TracTickets for help on using
tickets.
