[buddypress-trac] [BuddyPress] #2660: Specially crafted signup can bypass activation key on single install
buddypress-trac at lists.automattic.com
buddypress-trac at lists.automattic.com
Thu Sep 30 02:07:02 UTC 2010
#2660: Specially crafted signup can bypass activation key on single install
----------------------+-----------------------------------------------------
Reporter: wpmuguru | Owner:
Type: defect | Status: new
Priority: normal | Milestone: 1.2.6
Component: Core | Keywords: has-patch
----------------------+-----------------------------------------------------
If a registration is completed with a unique first or last name (ex. a
hash), then that unique name can be used to activate the user account
without the activation key (which allows registration to bypass email
validation).
Sorry for not having a patch file, I found this while looking at something
else.
http://trac.buddypress.org/browser/branches/1.2/bp-core/bp-core-
signup.php#L477
{{{
$user_id = $wpdb->get_var( $wpdb->prepare( "SELECT user_id FROM
$wpdb->usermeta WHERE meta_value = %s", $key ) );
}}}
Should be
{{{
$user_id = $wpdb->get_var( $wpdb->prepare( "SELECT user_id FROM
$wpdb->usermeta WHERE meta_key = 'activation_key' AND meta_value = %s",
$key ) );
}}}
--
Ticket URL: <https://trac.buddypress.org/ticket/2660>
BuddyPress <http://buddypress.org/>
BuddyPress
More information about the buddypress-trac
mailing list