Ticket #6908 (closed defect: duplicate)

Opened 4 months ago

Last modified 4 months ago

Creating new users role - a security risk?

Reported by: CrazySerb Assigned to: anonymous
Priority: normal Milestone:
Component: Security Version: 2.5.1
Severity: normal Keywords: user roles, group levels
Cc:

Description

Ok, I've noticed that when Users with roles less than an Administrator (and if allowed to Create/Edit/Delete users defined in Role Manager (plugin) are able to:

- list all users (which is a bit insecure, as I would expect them to be able only to list users in levels up to their level, not above, like admins)

- edit/delete all users (which is even more insecure, as this way they can simply "upgrade" any of the existing users to admins with no problem)

- add new users with any roles assigned to them, even administrator role.

Could that be fixed, so that users in group with a level of 7 can't see any of the other groups above level 7, and can't create new/edit existing users and assign them any role higher than 7, for example?

Otherwise, this is a major security risk for anyone allowing any users in groups less than administrator to administer other users.

Change History

(follow-up: ↓ 2 ) 05/05/08 16:36:10 changed by Otto42

  • priority changed from highest omg bbq to normal.
  • severity changed from major to normal.
  • milestone set to 2.7.

Allowing users to edit users higher than themselves does indeed not make much sense, however the user level number idea is deprecated/not used anymore. Perhaps some way to define an order on the Roles, thus allowing it to determine which roles are above other roles?

(in reply to: ↑ 1 ) 05/06/08 00:42:38 changed by DD32

Replying to Otto42:

Allowing users to edit users higher than themselves does indeed not make much sense, however the user level number idea is deprecated/not used anymore. Perhaps some way to define an order on the Roles, thus allowing it to determine which roles are above other roles?

This was discussed on another ticket/mailing list, i cant remember where.

The idea which was suggested that made most sense to me was that users should not be able to create a user with a capability they themselves do not have, so if they do not have the manage_options capability, they should not be able to create a user who would have the manage_options cap. And a similar route for editing users.

05/07/08 14:30:06 changed by pishmishy

  • status changed from new to closed.
  • resolution set to duplicate.
  • milestone deleted.

It was discussed in #6014, which is identical in principal to this ticket.

To repeat myself, we shouldn't be imposing any ordering on roles:

* An order would be equivalent to the user level numbers (albeit with different labels). We moved away from this.

* We'd never agree on a default ordering (we leave such things to plugins if desired by the user).

Problems arise because people aren't informed of the true extent of 'edit_users' capability. I suggested that the authors of plugins who allow users to mess with capabilities should make it very clear to their users. I still don't believe it's a WordPress issue (although we could look at improving our documentation), but I'll hold off closing the other ticket for risk of upsetting too many people :-)