Skip to:
Content

BuddyPress.org

Opened 14 years ago

Closed 14 years ago

#2445 closed defect (bug) (no action required)

Wordpress Core Ticket #13866 Allows User Impersonation in BuddyPress

Reported by: foxly's profile foxly Owned by:
Milestone: 1.5 Priority: major
Severity: Version:
Component: Extended Profile Keywords: spoof, display_name, impersonation, XProfile
Cc:

Description

SUMMARY

As outlined in http://core.trac.wordpress.org/ticket/13866 the WordPress core does not check for duplicate entries in wp_users.display_name

As a result, users can enter any text string they want, including things like "Admin", "System", or an existing user's login or display name in Profile->Edit Profile->Name and it will display across the entire BP installation.

Unfortunately, the "Name" field cannot be disabled in the extended profiles module, and if a value is present in the field, the system uses it by default.

TO REPRODUCE

1) Sign up two new users in BuddyPress.
2) Enter "Admin" in the name field for each user, and click "Save"
3) The system now has two new "Admin" users.

Note that this only gives the attacker the *name* "Admin", it does not give them the same system rights as admin.

The exception is if there is code anywhere in BuddyPress that uses an SQL statement like "SELECT ID FROM " . CUSTOM_USER_TABLE . " WHERE display_name = %s".

I've attached a screen capture illustrating the problem.

TO FIX

1) Don't use display_name
2) or, when writing to display_name ensure the written value does not match the display_name or user_login value for an existing user on the system.

F

Attachments (1)

display-name.jpg (126.7 KB) - added by foxly 14 years ago.
Screen Capture

Download all attachments as: .zip

Change History (3)

@foxly
14 years ago

Screen Capture

#1 @r-a-y
14 years ago

Though I agree with your assessment about spoofing / phishing, I think the current behaviour for "display_name" is the way it is because people can have the same name (eg. John Smith).

This brings up the question of whether display names should be made less prominent on a stock install of BP?

Let's bring up Twitter as an example. Like BP's display_name, anyone can type anything in Twitter's "Name" field, but because it is only used on the profile page, it is less prominent and less susceptible to spoofing.

A current workaround is to use the "BP Usernames Only" plugin. This changes all instances of "display_name" to "user_login".

#2 @boonebgorges
14 years ago

  • Resolution set to invalid
  • Status changed from new to closed

Display names are prominent in BuddyPress because it's a social networking tool, and in many (most?) potential applications of BuddyPress, it's a good thing to have some flexibility concerning the way that people represent themselves.

In many social networks there will be multiple people who want to use the same display name, and BP core should not prevent this outright. It's easy to write a plugin to enforce this rule, or to reduce the prominence of display names with a plugin like the one suggested by r-a-y.

Another plugin idea is to check display names against a blacklist provided by the admin, something like WordPress core does for blog domains.

Since there is no real vulnerability here (permissions in WP and BP have nothing to do with display_name), and since plugins can easily be developed to do the kind of filtering you're suggesting, I'm closing the ticket.

Note: See TracTickets for help on using tickets.