Password view-able to any person in any group

  • Resolved bgrygla

    (@bgrygla)


    9 years, 8 months ago

    I noticed that if I assign any group, I am testing with 75 groups, read permissions to a stored username, that all users that are a part of ANY group (not the group that I gave permissions) are able to read the password for that username. Digging through the tools.php I found the SQL statement from lines 412 to 419 for showing usernames and noticed that there is no ‘where’ statement to decide if the user is actually a part of the group that has been given permissions. To fix this issue on my build I temporarily tweaked the sql line on 419 from:
    where username LIKE %s {$extra_where};
    To:
    where username LIKE %s {$extra_where} and (gu.group_id is not null or up.read_per = 1)";

    Not sure what ramifications this will have so I wanted to post it here for some feedback. I do have the switch for “Hide Accounts User Does Not Have Access To:” checked.

    Also, I had to change lines 329-333 in order to get the plugin to add users.
    From:

    $wpdb->query(
	$wpdb->prepare(
		$sql
	), array($user_id, $vault_id)
);

    To:

    $wpdb->query(
	$wpdb->prepare(
		$sql, $user_id, $vault_id)
);

    https://www.ads-software.com/plugins/password-vault/

Viewing 1 replies (of 1 total)
  • Plugin Author mrdenny

    (@mrdenny)

    bgrygla,
    Thanks for the feedback. I’ve incorporated these changes into the release which you should see coming out shortly.

    If you see anything else that’s an issue please let me know.

Viewing 1 replies (of 1 total)
  • The topic ‘Password view-able to any person in any group’ is closed to new replies.