[buddypress-trac] [BuddyPress] #2660: Specially crafted signup can bypass activation key on single install

buddypress-trac at lists.automattic.com buddypress-trac at lists.automattic.com
Thu Sep 30 02:07:02 UTC 2010


#2660: Specially crafted signup can bypass activation key on single install
----------------------+-----------------------------------------------------
 Reporter:  wpmuguru  |       Owner:           
     Type:  defect    |      Status:  new      
 Priority:  normal    |   Milestone:  1.2.6    
Component:  Core      |    Keywords:  has-patch
----------------------+-----------------------------------------------------
 If a registration is completed with a unique first or last name (ex. a
 hash), then that unique name can be used to activate the user account
 without the activation key (which allows registration to bypass email
 validation).

 Sorry for not having a patch file, I found this while looking at something
 else.

 http://trac.buddypress.org/browser/branches/1.2/bp-core/bp-core-
 signup.php#L477

 {{{
 $user_id = $wpdb->get_var( $wpdb->prepare( "SELECT user_id FROM
 $wpdb->usermeta WHERE meta_value = %s", $key ) );
 }}}

 Should be

 {{{
 $user_id = $wpdb->get_var( $wpdb->prepare( "SELECT user_id FROM
 $wpdb->usermeta WHERE meta_key = 'activation_key' AND meta_value = %s",
 $key ) );
 }}}

-- 
Ticket URL: <https://trac.buddypress.org/ticket/2660>
BuddyPress <http://buddypress.org/>
BuddyPress


More information about the buddypress-trac mailing list