#2660 closed defect (bug) (fixed)
[patch] Specially crafted signup can bypass activation key on single install
Reported by: | wpmuguru | Owned by: | |
---|---|---|---|
Milestone: | 1.2.6 | Priority: | major |
Severity: | Version: | ||
Component: | Core | Keywords: | has-patch |
Cc: |
Description
If a registration is completed with a unique first or last name (ex. a hash), then that unique name can be used to activate the user account without the activation key (which allows registration to bypass email validation).
Sorry for not having a patch file, I found this while looking at something else.
http://trac.buddypress.org/browser/branches/1.2/bp-core/bp-core-signup.php#L477
$user_id = $wpdb->get_var( $wpdb->prepare( "SELECT user_id FROM $wpdb->usermeta WHERE meta_value = %s", $key ) );
Should be
$user_id = $wpdb->get_var( $wpdb->prepare( "SELECT user_id FROM $wpdb->usermeta WHERE meta_key = 'activation_key' AND meta_value = %s", $key ) );
Attachments (1)
Change History (6)
Note: See
TracTickets for help on using
tickets.
Patch attached for convenience; all props to wpmuguru