Skip to:
Content

BuddyPress.org

Opened 14 years ago

Closed 14 years ago

#2329 closed defect (bug) (fixed)

Security problem: Join private/hidden groups by manipulating the URL with nonce

Reported by: gottowik's profile gottowik Owned by:
Milestone: 1.2.4 Priority: critical
Severity: Version:
Component: Core Keywords: has-patch needs-testing
Cc: boonebgorges@…

Description

Everybody can join hidden projects by manipulating the URL. just find a valid nonce for joining a public group and use it for joining any private or hidden group. Invitations or membership requests are not necessary to join every group you like...

This bug was reported on bettercodes.org. If you got any questions regarding this bug pls contact us: contact@…. Thanks!

Attachments (2)

2329.diff (1.6 KB) - added by wpmuguru 14 years ago.
prevent_private_group_funny_business.patch (2.3 KB) - added by boonebgorges 14 years ago.

Download all attachments as: .zip

Change History (10)

#1 @DJPaul
14 years ago

  • Milestone changed from 1.3 to 1.2.4

@wpmuguru
14 years ago

#2 @wpmuguru
14 years ago

  • Keywords has-patch needs-testing added

That patch is against the 1.2 branch. It adds the group ID to the nonce key which will prevent it being used with a different group.

#3 @boonebgorges
14 years ago

Tested, but it doesn't seem to work. Turns out that group joining (as opposed to group invitation accepting, which wpmuguru's patch addresses) isn't even checked against the nonce. I'll fix that, but I'll post it in an enhancement ticket.

For this fix, it seemed appropriate to check to see if the group being joined is not public, and if so to check whether the current user has a pending invitation to the group, otherwise to throw an error. Patch attached.

#4 follow-up: @boonebgorges
14 years ago

BTW I also had to fix a couple of those pesky function_exists('friends_install') checks that snuck there way back into the trunk in [2925]

#5 in reply to: ↑ 4 @boonebgorges
14 years ago

Replying to boonebgorges:

BTW I also had to fix a couple of those pesky function_exists('friends_install') checks that snuck there way back into the trunk in [2925]

otherwise I couldn't actually test by sending group invitations :)

#6 @boonebgorges
14 years ago

  • Cc boonebgorges@… added

#7 @wpmuguru
14 years ago

boonebgorges' enhancement ticket: #2336

#8 @johnjamesjacoby
14 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [2954]) Fixes #2329 props boonebgorges

Note: See TracTickets for help on using tickets.