Possible Security Risk in WordPress Plugin Groups
Category : Allgemein , Sicherheit , WordPress
Description
How a WP user with user role editor and custom capability ‚groups_admin_groups‘ could gain almost admin level.
Test Environment
WordPress Version 3.9.3
WP Plugin Groups Version 1.4.12
Test Scenario
In a website project a WordPress User of a user role lower than admin (author, contributor, editor) should confirm user registrations and be able to group users with the WP Plugin Groups.
This is possible, if the user is granted the core capability ‚promote_users‚ (necessary as described in WP support)and the custom capabilities (coming with the groups plugin) ‚groups_access‚ and ‚groups_admin_groups‚
Without these two capabilities, it is not possible to
- create new groups
- add users to groups
Security Risk: User can gain near Admin capabilities
Now the user with restricted capabilities is allowed to create a new group. While adding a new or editing an existing group the user can add capabilities to this group.
Creating a super group with all core capabilities
The capabilities are not restricted by the user role of the current user. It is possible to add ALL core capabilities (including create user, delete user, switch theme, delete them, and more) and all custom capabilities and even create new capabilities.
Adding all capabilities to group
Change group membership in profile
After adding all capabilities to a test group, the user could save this, access his own profile and make himself member of this test group. Save and reload and welcome the new almost admin with full system access. The only difference, that a member of this super group is not member of the user role Administrator, not able to list and dreate and delete other admins.
Edit user profile change group membership
If a user is given a role with restricted capabilities this might happen for some reason, but perhaps not intended is a scenario of a self-empowered user with almost admin rights
BUG FIX (QUICK):
FILE:/wp-content/plugins/groups/lib/core/constants.php
Add the following at around LINE 62::
/**
* @var string grants access to add and edit capabilities
*/
define( 'GROUPS_ADMINISTER_CAPABILITIES', 'groups_admin_groups_capabilities');
To define a new capability accessible through Plugin User Role Editor
And Groups Options (For Admins)
FILE: /wp-content/plugins/groups/lib/admin/groups-admin-capabilities.php
After:
function groups_admin_capabilities() {
global $wpdb;
$output = '';
$today = date( 'Y-m-d', time() );
if ( !current_user_can( GROUPS_ADMINISTER_GROUPS ) ) {
wp_die( __( 'Access denied.', GROUPS_PLUGIN_DOMAIN ) );
}
at around LINE 50 add the following:
if ( !current_user_can( GROUPS_ADMINISTER_CAPABILITIES ) ) {
wp_die( __( 'Access denied.', GROUPS_PLUGIN_DOMAIN ) );
}
FILE: /wp-content/plugins/groups/lib/admin/groups-admin-groups-edit.php
Check for (at around LINE 100:)
$capability_table = _groups_get_tablename( 'capability' );
and add
//START CAPABILITIES
if ( current_user_can( GROUPS_ADMINISTER_CAPABILITIES ) ) {
before
and close brackets at around LINE 139 after
$output .= Groups_UIE::render_select( '.select.capability' );
add line
}//END CAPABILITIES
FILE: /wp-content/plugins/groups/lib/admin/groups-admin-groups-add.php
Before the following Lines (at around LINE 90):
$output .= '<div class="field">';
$capability_table = _groups_get_tablename( "capability" );</div>
Insert:
//START CAPABILITIES
if ( current_user_can( GROUPS_ADMINISTER_CAPABILITIES ) ) {
and close brackets at around Line 117 after:
$output .= Groups_UIE::render_select( '.select.capability' );
$output .= '</div>';
with:
}//END CAPABILITIES
FILE: /wp-content/plugins/groups/lib/admin/groups-admin-options.php
At around Line 50 change:
$caps = array(
GROUPS_ACCESS_GROUPS => __( 'Access Groups', GROUPS_PLUGIN_DOMAIN ),
GROUPS_ADMINISTER_GROUPS => __( 'Administer Groups', GROUPS_PLUGIN_DOMAIN ),
GROUPS_ADMINISTER_OPTIONS => __( 'Administer Groups plugin options', GROUPS_PLUGIN_DOMAIN ),
);
To:
$caps = array(
GROUPS_ACCESS_GROUPS => __( 'Access Groups', GROUPS_PLUGIN_DOMAIN ),
GROUPS_ADMINISTER_GROUPS => __( 'Administer Groups', GROUPS_PLUGIN_DOMAIN ),
GROUPS_ADMINISTER_CAPABILITIES => __( 'Administer Groups Capabilities', GROUPS_PLUGIN_DOMAIN ),
GROUPS_ADMINISTER_OPTIONS => __( 'Administer Groups plugin options', GROUPS_PLUGIN_DOMAIN ),
);
As Admin (Or with the capability groups_administer_options) you could now acces the Groups->Options page and check the new capability GROUPS_ADMINISTER_CAPABILITIES for the User Role Administrator
Groups->Options
Dashboard Groups Options
User Role Editor
Dashboard Users User Role Editor Capabilities Overview
Bugfix (Only modified files)
Here you can download the modified files
