[Plugin: Widget Logic] Security hole?
-
The plugin sure does what is says, but I’m concerned about the security here.
As whatever a user enters as “widget logic”, gets eval()’ed by PHP, any user with access to modifying widgets essentially could do whatever to to full installation. E.g. a user could enter [informaton removed- Mark] to delete everything you got on the host.
I couldn’t find it anywhere in the plugin code, but there sure should be a whitelist of functions allowed in code like this.
Viewing 3 replies - 1 through 3 (of 3 total)
Viewing 3 replies - 1 through 3 (of 3 total)
- The topic ‘[Plugin: Widget Logic] Security hole?’ is closed to new replies.