Opened 15 years ago
Closed 15 years ago
#2329 closed defect (bug) (fixed)
Security problem: Join private/hidden groups by manipulating the URL with nonce
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | 1.2.4 | Priority: | critical |
| Severity: | Version: | ||
| Component: | Core | Keywords: | has-patch needs-testing |
| Cc: | boonebgorges@… |
Description
Everybody can join hidden projects by manipulating the URL. just find a valid nonce for joining a public group and use it for joining any private or hidden group. Invitations or membership requests are not necessary to join every group you like...
This bug was reported on bettercodes.org. If you got any questions regarding this bug pls contact us: contact@…. Thanks!
Attachments (2)
Change History (10)
#3
@
15 years ago
Tested, but it doesn't seem to work. Turns out that group joining (as opposed to group invitation accepting, which wpmuguru's patch addresses) isn't even checked against the nonce. I'll fix that, but I'll post it in an enhancement ticket.
For this fix, it seemed appropriate to check to see if the group being joined is not public, and if so to check whether the current user has a pending invitation to the group, otherwise to throw an error. Patch attached.
#4
follow-up:
↓ 5
@
15 years ago
BTW I also had to fix a couple of those pesky function_exists('friends_install') checks that snuck there way back into the trunk in [2925]
That patch is against the 1.2 branch. It adds the group ID to the nonce key which will prevent it being used with a different group.