aebs
Forum Replies Created
-
Hi guys,
Sorry for the late answer, it was crazy last week.
I’m sending Jeremy a private message with the detailed information about this.
Jupitercow, where do I send you the same information? or you guys both get in touch by email?
Hello Jeremy,
When I started the topic I realized the 2 problems and I thought it was for the same bug.
After fixing the bug that let’s an author edit the posts of another author, I realized that the image bug is a different one and even a more dangerous one, as this allows an anonymous user to delete any file from the WordPress installation (even WordPress core files like wp-config.php).
I don’t want to make public how you can exploit this bug. How can we talk private about this to help you fix it? I’m in love with this plugin so I want to keep using it, I’d love to help you fix this security bug.
I found a solution!
Change file gravityforms-update-post.php on line 1189:
Before:
$capability = ( 'page' == $post_type ) ? 'edit_pages' : 'edit_posts';After:
$capability = ( 'page' == $post_type ) ? 'edit_page' : 'edit_post';When you are checking if the current user can edit posts, you use the capability “edit_posts“:
if ( current_user_can( 'edit_posts' ) ) { }But, if you want to check if the current user can edit a defined post, you use the capability “edit_post“:
if ( current_user_can( 'edit_posts', 123 ) ) { }You can see another example here:
http://codex.ww.wp.xz.cn/Function_Reference/current_user_can#Examplesif ( current_user_can('edit_post', 123) ) { echo 'The current user can edit post 123'; }Can you please include this fix in the next version of the plugin?