WordPress.org

Ready to get started?Download WordPress

Forums

LBAK User Tracking
[resolved] Exposure of admin credentials (5 posts)

  1. cyberczar
    Member
    Posted 3 years ago #

    Hey there!

    This is just a warning to anyone using this plugin that has multiple users on their blog (authors, contributors, editors, etc.)

    The file lbak-user-tracking/php_includes/visual.php does no checking whether or not the user has the rights to view the dashboard widgets which can expose the login name and password of the admin user who logged-in.

    An easy work-around for this is to include the following in the visual.php page (towards the top):

    function  lbakut_dashboard_setup() {
        //Check that the user is able to view this page.
        if (current_user_can('manage_options')) {
    
    $options = lbakut_get_options();
        if ($options['widget_show'] == true) {
    
    ...
    ...

    And be sure to add a close right-brace at the end of the function block to close the if { ... } block in PHP.

    Ideally, the author of this plugin will bake this in.

    http://wordpress.org/extend/plugins/lbak-user-tracking/

  2. Sam Rose
    Member
    Plugin Author

    Posted 3 years ago #

    Ah, good spot! I do apologies for this and will get a fix out later today :)

    Any further updates you feel are needed?

    Thanks,
    Sam

  3. Sam Rose
    Member
    Plugin Author

    Posted 3 years ago #

    Just uploaded an update that fixes this bug :) Fortunately it wasn't as big a deal as it seemed, the dashboard widget was only shown if you were an admin anyway.

    Enjoy!
    Sam

  4. cyberczar
    Member
    Posted 3 years ago #

    Thanks for fixing.

    But I can confirm that as of 1.7.1 the dashboard widget was shown to anyone that had Contributor, Author, or Editor status. I found out about this because one of my blog's contributors (Contributor level) was able to see the widgets, click on Search, and the see my credentials (because I am logging GET & POST variables). When they sent me a screen shot with my credentials right then and there I became a bit alarmed. :-)

    But all that's moot now since the latest version is 1.7.4.

    Thanks for the credit. Great plugin by the way! Love it.

  5. Sam Rose
    Member
    Plugin Author

    Posted 3 years ago #

    Okay, rephrase: IT was only MEANT to be active for admins ^_^ Really sorry that happened!

    Glad you like the plugin regardless of this. If you have any other suggestions feel free to get in touch :)

    Thanks,
    Sam

    PS: Credit where credit is due.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic