Thread Starter
aebs
(@aebs)
I found a solution!
Change file gravityforms-update-post.php on line 1189:
Before:
$capability = ( 'page' == $post_type ) ? 'edit_pages' : 'edit_posts';
After:
$capability = ( 'page' == $post_type ) ? 'edit_page' : 'edit_post';
When you are checking if the current user can edit posts, you use the capability “edit_posts“:
if ( current_user_can( 'edit_posts' ) ) { }
But, if you want to check if the current user can edit a defined post, you use the capability “edit_post“:
if ( current_user_can( 'edit_posts', 123 ) ) { }
You can see another example here:
http://codex.wordpress.org/Function_Reference/current_user_can#Examples
if ( current_user_can('edit_post', 123) ) {
echo 'The current user can edit post 123';
}
Can you please include this fix in the next version of the plugin?
Thanks for reporting this. This was actually changed in a recent update. I think going back to the version you posted might be ideal as we are only concerned about the specific post being edited, not general edit_posts functionality.
I’m not sure how this allows anonymous users to edit posts however. I don’t know what you mean by “anonymous user” but edit_posts would prevent non-authenticated and subscriber users from editing any posts. Can you clarify that part for me?
Thread Starter
aebs
(@aebs)
Hello Jeremy,
When I started the topic I realized the 2 problems and I thought it was for the same bug.
After fixing the bug that let’s an author edit the posts of another author, I realized that the image bug is a different one and even a more dangerous one, as this allows an anonymous user to delete any file from the WordPress installation (even WordPress core files like wp-config.php).
I don’t want to make public how you can exploit this bug. How can we talk private about this to help you fix it? I’m in love with this plugin so I want to keep using it, I’d love to help you fix this security bug.
aebs, gracias por ayudarnos 🙂
If you’d like to message me privately, visit the contact form on my company website and we can discuss there.
Definitely interested in knowing more about this also.
Thread Starter
aebs
(@aebs)
Hi guys,
Sorry for the late answer, it was crazy last week.
I’m sending Jeremy a private message with the detailed information about this.
Jupitercow, where do I send you the same information? or you guys both get in touch by email?
You can reach me using the homepage form here: http://jcow.com/
Thanks!
Hi! Are these security issues resolved in the latest update? Thanks!