Thread Rating:
  • 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Terrible mistake in Multi Users Plugin
#1
Today i found a serious security mistake in the Multi Users Plugin. After you creat a new user as a Mod with limit permission, you login by the new user account and you absolutely can delete the ADMIN account in the User management. Really terrible. I fixed it with my way. But you guys can find and fix it in your way. Hope the core team solve this problem when integrate the plugin in new core.

Btw, when new version of 3.4 will be released? I am exciting to see what new.

Thank you
Reply
#2
no response on this ?
Reply
#3
(2021-10-27, 01:27:10)dryland404 Wrote: no response on this ?

Any newly created user can be assigned different rights.
https://prnt.sc/1xeov5p
Reply
#4
Unfortunately this plugin has been unmaintained for 10+ years and the author is no longer active.
I created a PR on Github 6 years ago to address some of the issues and it's still open: https://github.com/mikehenken/Multi-User/pull/3
Have you tried the forked version MultiUser 1.9.x? It's in the ZIP attached to this post: http://get-simple.info/forums/showthread...8#pid49838


Finally, I created gs_usermgr which has support for groups, permissions and roles, and works very well, but it has no UI (you have to manually update the XML files) so I never uploaded it to GS Extend.
Here is the forum thread: http://get-simple.info/forums/showthread.php?tid=9508
Here is the very detailed Github docs: https://github.com/webketje/gs_usermgr/wiki
And the download: https://github.com/webketje/gs_usermgr/a...master.zip
Reply




Users browsing this thread: 2 Guest(s)