I have been doing some testing on version 0.7.10 and have found that the setup and admin programs for plug-ins on my test system may be executed by any user. The programs do not seem to properly check for an admin login before executing. This hole allows anyone to add a plug-in or modify plug-in settings on your site.
In version 0.7.9, if you tried to execute one of the plug-in setup or admin programs without logging in first as an admin, you would be passed to the login screen before proceeding. In version 0.7.10 you are able to execute the priviledged programs without logging in.
If you have installed 0.7.10 on your system you can check to see if you are vulnerable by trying to run one of the setup programs. To do so, first make sure you are not logged in as the administrator. Second, try to run one of the setup programs such as weather_setup.php. You would do this by browsing to http://www.yourdomain.com/weather_setup.php . If you get the setup confirmation screen instead of the login screen then your site is vulnerable.
I do not know what the fix is yet but I wanted to warn anyone who may have upgraded to 0.7.10. I have not yet upgraded and will continue to test before doing so and I will post a fix here and notify the development team if I find it before they do.
If you have already updated to 0.7.10 and are vulnerable, I recommend that you delete the setup programs for all of the plug-ins and that you rename or remove the admin programs as well. If you rename them, you will also have to rename them in the plugins table if you need to further administer the plugin.
Thanks for pointing this out. We're currently in the process of updating all the plugins to work with phpWebSite 0.8.0+ which is the major priority at the moment.
The admin check changed between versions 0.7.9 and 0.7.10 due to the way admin logins changed to use sessions.
We'll be making sure that all plugins with admin only pages and functions only make those pages and functions available to admmins when we upgrade the plugins.
I can't really comment on fixing the plugins for versions previous to 0.8.0 as we haven't discussed a strategy for those yet, but rest assured we will look into this.
Cheers,
--
Phil McAllister
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Yes, I've noticed this as well, and as Phil stated, we will be making sure that all the 0.8.0 plugins will only install if you are indeed an admin. Our skeleton module will have an installer that makes sure an admin is authenticated before they can install.
Ed Ritter
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I have been doing some testing on version 0.7.10 and have found that the setup and admin programs for plug-ins on my test system may be executed by any user. The programs do not seem to properly check for an admin login before executing. This hole allows anyone to add a plug-in or modify plug-in settings on your site.
In version 0.7.9, if you tried to execute one of the plug-in setup or admin programs without logging in first as an admin, you would be passed to the login screen before proceeding. In version 0.7.10 you are able to execute the priviledged programs without logging in.
If you have installed 0.7.10 on your system you can check to see if you are vulnerable by trying to run one of the setup programs. To do so, first make sure you are not logged in as the administrator. Second, try to run one of the setup programs such as weather_setup.php. You would do this by browsing to http://www.yourdomain.com/weather_setup.php . If you get the setup confirmation screen instead of the login screen then your site is vulnerable.
I do not know what the fix is yet but I wanted to warn anyone who may have upgraded to 0.7.10. I have not yet upgraded and will continue to test before doing so and I will post a fix here and notify the development team if I find it before they do.
If you have already updated to 0.7.10 and are vulnerable, I recommend that you delete the setup programs for all of the plug-ins and that you rename or remove the admin programs as well. If you rename them, you will also have to rename them in the plugins table if you need to further administer the plugin.
Good luck and safe computing,
John Vedral
http://www.MainelyWeb.com
Thanks for pointing this out. We're currently in the process of updating all the plugins to work with phpWebSite 0.8.0+ which is the major priority at the moment.
The admin check changed between versions 0.7.9 and 0.7.10 due to the way admin logins changed to use sessions.
We'll be making sure that all plugins with admin only pages and functions only make those pages and functions available to admmins when we upgrade the plugins.
I can't really comment on fixing the plugins for versions previous to 0.8.0 as we haven't discussed a strategy for those yet, but rest assured we will look into this.
Cheers,
--
Phil McAllister
Yes, I've noticed this as well, and as Phil stated, we will be making sure that all the 0.8.0 plugins will only install if you are indeed an admin. Our skeleton module will have an installer that makes sure an admin is authenticated before they can install.
Ed Ritter