Skip to:
Content

BuddyPress.org

Opened 12 years ago

Closed 12 years ago

Last modified 12 years ago

#2660 closed defect (bug) (fixed)

[patch] Specially crafted signup can bypass activation key on single install

Reported by: wpmuguru's profile wpmuguru Owned by:
Milestone: 1.2.6 Priority: major
Severity: Version:
Component: Core Keywords: has-patch
Cc:

Description

If a registration is completed with a unique first or last name (ex. a hash), then that unique name can be used to activate the user account without the activation key (which allows registration to bypass email validation).

Sorry for not having a patch file, I found this while looking at something else.

http://trac.buddypress.org/browser/branches/1.2/bp-core/bp-core-signup.php#L477

$user_id = $wpdb->get_var( $wpdb->prepare( "SELECT user_id FROM $wpdb->usermeta WHERE meta_value = %s", $key ) );

Should be

$user_id = $wpdb->get_var( $wpdb->prepare( "SELECT user_id FROM $wpdb->usermeta WHERE meta_key = 'activation_key' AND meta_value = %s", $key ) );

Attachments (1)

patch-2660.patch (655 bytes) - added by DJPaul 12 years ago.

Download all attachments as: .zip

Change History (6)

#1 @paulhastings0
12 years ago

  • Summary changed from Specially crafted signup can bypass activation key on single install to [patch] Specially crafted signup can bypass activation key on single install

@DJPaul
12 years ago

#2 @DJPaul
12 years ago

  • Priority changed from normal to major

Patch attached for convenience; all props to wpmuguru

#3 @johnjamesjacoby
12 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [3277]) Fixes #2660 (branch and trunk) props wpmuguru and PaulGibbs

#4 @johnjamesjacoby
12 years ago

(In [3278]) Fixes #2660 (branch and trunk) props wpmuguru and PaulGibbs

#5 @johnjamesjacoby
12 years ago

Hm. Can't commit to both at the same time. Lesson learned.

Note: See TracTickets for help on using tickets.