Stop
Why the delay in discovery til reporting?
My fault - a colleague wrote the report, and I didn't notice it at the
time.
no, it doesnt matter. the vulnerability is yours and there is
absolutely no requirement for you to have reported in x amount of
time. you do not need to justify any amount of time.
On Wed, Apr 30, 2014 at 1:50 PM, Harry Metcalfe <harry@xxxxxxx
<mailto:harry@xxxxxxx>> wrote:
Hi Illwill,
What circumstance would a WordPress admin not usually have
this kind of access anyhow?
As Dave said, there are various levels of administrator in
WordPress. But our perspective on these issues is just that a
WordPress administrator is not necessarily also a server
administrator. Plenty of our clients have staff who are
administrators but who certainly do not have anything equivalent
to root server access or permissions. There are also plenty of
multisite installations of WordPress where the administrators of
individual blogs have no permissions on other blogs, or on the
main site.
Why the delay in discovery til reporting?
My fault - a colleague wrote the report, and I didn't notice it at
the time.
Harry
On 2014-04-29 05:13, Illwill wrote:
What circumstance would a WordPress admin not usually have
this kind of access anyhow?
Although it's rarely used, WordPress does have the capability
to support multiple levels of administrators, in which case
one may have access to an already installed plugin, but not to
install their own.
The same may be true if this plugin were installed in
multiuser mode, although I haven't kept up on what is
permitted in multiuser mode, or whether this plugin works in
multiuser mode or not.
--
Harry Metcalfe
07790 559 876
@harrym
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/