Dangerous for Multisite

  • Resolved TheServerGuy

    (@icryptic)


    9 years, 10 months ago

    It creates a major security exploit to all users of a Multisite Network and would only take 1 account to be compromised to cause hell on the entire masses.

    With this plugin, a compromiser could steal data from the database (ie: usernames, passwords, emails, Everything). A compromiser could inject harmful data deliberately (or naive / ignorant user).

    This plugin allows the compromiser (or user) to insert executable php.

    I am suggesting you disable the insertion of php via this plugin using something to this extent…

    if ( is_multisite() ) {
    if ( is_super_admin() && current_user_can(‘manage_network_options’) ) {
    //if is multisite only network admin can insert php
    }
    } else {
    //if is NOT multisite then Admins can insert php
    }

    https://www.ads-software.com/plugins/header-footer/

Viewing 1 replies (of 1 total)
  • Plugin Author Stefano Lissa

    (@satollo)

    Yes, that could be a patch but even let uncontrolled users to add javascript freely on a site is not a good idea… ??

    Anyway, Header and Footer was not designed for a multisite env., at least not for multiuser.

Viewing 1 replies (of 1 total)
  • The topic ‘Dangerous for Multisite’ is closed to new replies.