[buddypress-trac] [BuddyPress] #2329: Security problem: Join private/hidden groups by manipulating the URL with nonce
buddypress-trac at lists.automattic.com
buddypress-trac at lists.automattic.com
Wed Apr 21 15:38:37 UTC 2010
#2329: Security problem: Join private/hidden groups by manipulating the URL with
nonce
----------------------+-----------------------------------------------------
Reporter: gottowik | Owner:
Type: defect | Status: new
Priority: critical | Milestone: 1.3
Component: Core | Keywords:
----------------------+-----------------------------------------------------
Everybody can join hidden projects by manipulating the URL. just find a
valid nonce for joining a public group and use it for joining any private
or hidden group. Invitations or membership requests are not necessary to
join every group you like...
This bug was reported on bettercodes.org. If you got any questions
regarding this bug pls contact us: contact at bettercodes.org. Thanks!
--
Ticket URL: <http://trac.buddypress.org/ticket/2329>
BuddyPress <http://buddypress.org/>
BuddyPress
More information about the buddypress-trac
mailing list