[buddypress-trac] [BuddyPress] #2329: Security problem: Join private/hidden groups by manipulating the URL with nonce
buddypress-trac at lists.automattic.com
buddypress-trac at lists.automattic.com
Fri Apr 23 00:13:22 UTC 2010
#2329: Security problem: Join private/hidden groups by manipulating the URL with
nonce
----------------------+-----------------------------------------------------
Reporter: gottowik | Owner:
Type: defect | Status: new
Priority: critical | Milestone: 1.2.4
Component: Core | Keywords: has-patch needs-testing
----------------------+-----------------------------------------------------
Comment(by boonebgorges):
Tested, but it doesn't seem to work. Turns out that group joining (as
opposed to group invitation accepting, which wpmuguru's patch addresses)
isn't even checked against the nonce. I'll fix that, but I'll post it in
an enhancement ticket.
For this fix, it seemed appropriate to check to see if the group being
joined is not public, and if so to check whether the current user has a
pending invitation to the group, otherwise to throw an error. Patch
attached.
--
Ticket URL: <http://trac.buddypress.org/ticket/2329#comment:3>
BuddyPress <http://buddypress.org/>
BuddyPress
More information about the buddypress-trac
mailing list