Wordpress Core Ticket #13866 Allows User Impersonation in BuddyPress

[foxly]

SUMMARY

As outlined in ​http://core.trac.wordpress.org/ticket/13866 the WordPress core does not check for duplicate entries in wp_users.display_name

As a result, users can enter any text string they want, including things like "Admin", "System", or an existing user's login or display name in Profile->Edit Profile->Name and it will display across the entire BP installation.

Unfortunately, the "Name" field cannot be disabled in the extended profiles module, and if a value is present in the field, the system uses it by default.

TO REPRODUCE

1) Sign up two new users in BuddyPress.
2) Enter "Admin" in the name field for each user, and click "Save"
3) The system now has two new "Admin" users.

Note that this only gives the attacker the *name* "Admin", it does not give them the same system rights as admin.

The exception is if there is code anywhere in BuddyPress that uses an SQL statement like "SELECT ID FROM " . CUSTOM_USER_TABLE . " WHERE display_name = %s".

I've attached a screen capture illustrating the problem.

TO FIX

1) Don't use display_name
2) or, when writing to display_name ensure the written value does not match the display_name or user_login value for an existing user on the system.

^F

[foxly]

Screen Capture

[r-a-y]

Though I agree with your assessment about spoofing / phishing, I think the current behaviour for "display_name" is the way it is because people can have the same name (eg. John Smith).

This brings up the question of whether display names should be made less prominent on a stock install of BP?

Let's bring up Twitter as an example. Like BP's display_name, anyone can type anything in Twitter's "Name" field, but because it is only used on the profile page, it is less prominent and less susceptible to spoofing.

A current workaround is to use the "BP Usernames Only" plugin. This changes all instances of "display_name" to "user_login".

[boonebgorges]

Display names are prominent in BuddyPress because it's a social networking tool, and in many (most?) potential applications of BuddyPress, it's a good thing to have some flexibility concerning the way that people represent themselves.

In many social networks there will be multiple people who want to use the same display name, and BP core should not prevent this outright. It's easy to write a plugin to enforce this rule, or to reduce the prominence of display names with a plugin like the one suggested by r-a-y.

Another plugin idea is to check display names against a blacklist provided by the admin, something like WordPress core does for blog domains.

Since there is no real vulnerability here (permissions in WP and BP have nothing to do with display_name), and since plugins can easily be developed to do the kind of filtering you're suggesting, I'm closing the ticket.