[Plugin: Widget Logic] Security hole?

  • bjornjohansen

    (@bjornjohansen)


    12 years, 4 months ago

    The plugin sure does what is says, but I’m concerned about the security here.

    As whatever a user enters as “widget logic”, gets eval()’ed by PHP, any user with access to modifying widgets essentially could do whatever to to full installation. E.g. a user could enter [informaton removed- Mark] to delete everything you got on the host.

    I couldn’t find it anywhere in the plugin code, but there sure should be a whitelist of functions allowed in code like this.

    http://wordpress.org/extend/plugins/widget-logic/

Viewing 3 replies - 1 through 3 (of 3 total)
  • Mark (podz)

    (@podz)

    12 years, 4 months ago

    Could you send information to plugins@wordpress.org please?
    I will then pass this directly to the developer.

    I edited your post to remove the code.

    alanft

    (@alanft)

    12 years, 4 months ago

    Bjørn you are not the first person to note this, and actually I’m surprised it’s not in the “Other Notes” section of the documentation – I’m going to add that to my ‘to do’ list – as I’ve discussed the possible security issue on a few posts here. The consensus being that the quid pro quo of keeping anyone but widget admins out of editing the code is a sufficient price for the power/simplicity of the main idea. it’s ‘with great power comes great responsibility’ of course

    if anyone has some simple ‘function whitelist’ code they can point me at I’ll take a look.

    when i first posted WL (years ago) I noted words to the effect that ‘for now’ I’m using a simple eval, but might try something more sophisticated if people have a problem with the security implications of this.

    Cheers – A

    alanft

    (@alanft)

    12 years, 4 months ago

    what i said last time:

    http://wordpress.org/support/topic/widget-logic-security

    also i’ll be doing a new release soon and I’m going to add the warning back in and make it *specifically* check for current_user_can(‘edit_theme_options’)

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘[Plugin: Widget Logic] Security hole?’ is closed to new replies.