The MU forums have moved to WordPress.org

WordPress MU Forums » How-To and Troubleshooting

MU Plugins Flaw 2.7 (11 posts)

  1. drinkingteddy
    Member
    Posted 15 years ago #

    For some reason (in Firefox) regular users get to see and edit some admin plugins and features via a mysterious drop down option in the admin bar.. For this example Im going to use the "admin_message" plugin

    Example: login as any user in firefox and go to here; substituting in a user, your site and one of your admin plugins

    http://subname.rootdomain.com/wp-admin/wpmu-admin.php?page=admin_message

    Just us or is this a problem??

  2. dsader
    Member
    Posted 15 years ago #

    Yes, I have noticed that, especially while trying to update Toggle Admin Menus plugin for WPMU2.7 compatibility.

    You may try to rearrange the action hook load order of your plugins individually, but other than that, I didn't dig very hard for a solution, I disabled the built in admin bar and used my own instead.

  3. drinkingteddy
    Member
    Posted 15 years ago #

    Thanks. But isn't this workaround asking for an injection into a sites admin/mu plugins from anyone who knows this flaw..?

    Users can attain access to all our MU Plugin option pages either through typing the path directly into the address bar or, like I say, via an almost hidden drop down in the admin bar.

    Really lost on this one as I cant see it being a plugin conflict as that all the MU plugins are affected

  4. drinkingteddy
    Member
    Posted 15 years ago #

    What ive discovered is; if any MUplugin has a configurable options page then this is viewable and editable by regular users.

    The muplugin link also shows in the users admin bar; albeit under a "Site Admin" parent link (that doesnt actually print in the bar).

  5. andrea_r
    Moderator
    Posted 15 years ago #

    sounds like trac ticket time

  6. drinkingteddy
    Member
    Posted 15 years ago #

    Ok, this is fixed now.

    Just a heads up to other folk using MU Plugins.

    2.7 is different in structure to earlier versions. Unless your muplugin has code such as:

    if( function_exists( 'is_site_admin' ) && !is_site_admin() )
    return;

    It will allow regular users to edit the settings. Of the 12 muplugins we use, 7 of them needed editing.

  7. drinkingteddy
    Member
    Posted 15 years ago #

    :oops double post

  8. dsader
    Member
    Posted 15 years ago #

    A plugin page for SiteAdmin only should have a die line if not SiteAdmin such as:

    if( is_site_admin() == false ) {
	wp_die( __('You do not have permission to access this page.') );
}

    Many WPMU plugins adding SiteAdmin pages lack this, hrrumph, detail. But this is not a new "exploit" under 2.7, AFAIK.

    Removing the menu item(or the entire Adminbar menu) does nothing to the accessibility of the page via a URL.

  9. drinkingteddy
    Member
    Posted 15 years ago #

    You would have thought.. :)

    However one of the site admin plugins with this problem is the "Gravatar" plugin developed, i believe, by bloggs.be and used a lot by wpmu admins?

  10. andrea_r
    Moderator
    Posted 15 years ago #

    "Many WPMU plugins adding SiteAdmin pages lack this, hrrumph, detail. But this is not a new "exploit" under 2.7, AFAIK."

    Yep, you are correct - it's not new and it's not strictly for 2.7.

  11. jamescollins
    Member
    Posted 15 years ago #

    If you wrap your add_submenu_page(...) function call in an is_site_admin() check, then the page(s) won't be available to non site admins.

    Example:

    add_action('admin_menu', 'myplugin_menu');

function myplugin_menu()
{
	if (is_site_admin())
	{
		add_submenu_page('wpmu-admin.php', 'My Plugin', 'My Plugin', 10, 'myplugin', 'myplugin_page');
	}
}

function myplugin_page() {
  // Plugin content here will only be accessible by site admins
}

About this Topic

  • Started 15 years ago by drinkingteddy
  • Latest reply from jamescollins