Skip to:

Opened 13 years ago

Closed 10 years ago

#3545 closed defect (bug) (no action required)

Endliess loop in activity stream from unknown user

Reported by: webby101's profile webby101 Owned by:
Milestone: Priority: normal
Severity: major Version: 1.2.9
Component: Activity Keywords: reporter-feedback


I just had someone post a comment to the ACTIVITY STREAM. They had no username or avatar that I could see. When I clicked the VIEW link it resulted in an endless redirect loop. Bug or intentional hack?

This is the comment, user doesn’t have a username or an avatar –

This is the DB entry. Note that the user_id is “0″. Yet when I check wp_users the lowest user id that I see is my ID… the admin, which is “1″.

This is what appears in the URL bar at the top of the browser… I stopped it, but eventually it crashes and I get a redirect loop message –

Capture of wp_users ordered by lowest to highest value. Note that “0″ doesn’t even appear –

Anyone have any idea what the problem is? I ended up logging in as admin and just clicked the DELETE link next to the comment in the activity stream

Change History (3)

#1 @johnjamesjacoby
13 years ago

  • Keywords reporter-feedback added

First time I've seen anything like it, and it is a bit concerning. I'd do a security sweep of your installation and the plugins you have running to make sure it isn't compromised somehow.

Are you in the position to update to BuddyPress 1.5 Beta 3?

#2 @boonebgorges
13 years ago

  • Milestone changed from Awaiting Review to Future Release

The redirect stuff has to do with the fact that BP is unable to concatenate a URL properly, because it can't find an associated username. That, in itself, is not a hack.

It almost seems as if someone is managing to send a post request to BuddyPress that posts an activity item, without being logged in. I'm at a loss for how that would happen, however. There are two places where the activity posting function is called in BP. One is in the function bp_activity_action_post_update(), which handles non-AJAX posts. The other is in bp_dtheme_post_update(), which is BP's AJAX handler for activity updates. Both are protected against this kind of thing in two ways: 1) they have nonce checks, and 2) they check is_user_logged_in(). Nonce checks might possibly be faked, but I'm not sure how the is_user_logged_in() bit could be, without also having the user_id be passed to the function.

As jjj suggests, I would look through your plugins to see if there are any that do activity posts. Search the contents of your plugin directory for 'bp_activity_post_update' and for 'activity_update'. If you find any instances outside of BuddyPress itself, check them out to see if they are doing the two checks mentioned above.

In the interest of clearing out the Awaiting Review milestone, I'm bumping this to Future Release. If we can get enough details to reproduce, and we discover that it's a BP core problem, we can of course move it to a real milestone.

#3 @boonebgorges
10 years ago

  • Milestone Future Release deleted
  • Resolution set to invalid
  • Status changed from new to closed

Closing due to lack of activity.

Note: See TracTickets for help on using tickets.