Skip to:
Content

bbPress.org

Opened 17 years ago

Closed 17 years ago

Last modified 17 years ago

#1172 closed defect (bug) (fixed)

Need Sanity Check for Plugin Page Callbacks

Reported by: filosofo's profile filosofo Owned by:
Milestone: 1.0.3 Priority: high
Severity: major Version: 1.0.1
Component: General - Administration Keywords:
Cc:

Description

bbPress should verify that a plugin page callback is actually one of the registered plugin pages. The problem is that it currently executes any callable argument, such as this:

bb-admin/admin-base.php?plugin=phpinfo

Change History (4)

#1 @_ck_
17 years ago

  • Priority changed from normal to high
  • Severity changed from normal to major

I am bumping this to major/high because even though at least regular users cannot access the admin panel like on WordPress, moderators can escalate their access via certain functions which is bad situation.

This problem also exists on 0.9 so if easy, let's backport as a security issue.

#2 @sambauers
17 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [2347]) Maintain registry of valid plugin page callbacks. Fixes #1172.

#3 @sambauers
17 years ago

(In [2348]) branches 0.9: Maintain registry of valid plugin page callbacks. See #1172.

#4 @sambauers
17 years ago

This needs testing in both trunk and the 0.9 branch.

Note: See TracTickets for help on using tickets.