Opened 16 years ago
Closed 16 years ago
#454 closed defect (bug) (fixed)
insecure event handling / no nonce
Reported by: | shawnkhall | Owned by: | |
---|---|---|---|
Milestone: | Priority: | critical | |
Severity: | Version: | ||
Component: | Keywords: | nonce, security | |
Cc: | djpaul@… |
Description
Many actions have no security checks in place to ensure it's truly a user-initiated action.
For example, the following URLs, if included as the src for images within a blog entry could pretty much screw up any BP-enabled site. Assuming the group names and such actually exist (and that's not something difficult to find out).
/groups/groupname/admin/manage-members/ban/4
/groups/groupname/admin/manage-members/unban/4
/groups/groupname/admin/manage-members/promote/4
These are a little more obscure to work with, but not impossible to munge. Instead of making someone (like the admin) "add-friend" you, you can send THEM the invite, and then push an acceptance if you can get them to visit any user-crafted content.
/members/jimmy/friends/requests/accept/16
/members/jimmy/friends/requests/reject/16
Want to make someone accept your group invitation?
/members/jimmy/groups/invites/accept/3
/members/jimmy/groups/invites/reject/3
Of course, that's not really necessary if it's an open group. The following specific addresses are EXTREMELY easy to push. Imagine someone editing a template that gives CSS changes, and using:
p{background:url(exploitpath);}
...with one of these:
/groups/groupname/join
/groups/groupname/leave-group/yes
If you're making them leave, may as well add a "ban", too, and those are preserved even after the account is gone - in case they try to come back. Oh, and be sure to use the same method to "promote" yourself first, just in case they're an administrator or a moderator.
Finally, maybe just dump everything on someones wire? You'll need several, but that shouldn't be difficult.
/members/jimmy/wire/delete/7
Great catch, adding wp_nonce_url to all actions.