Skip to:
Content

BuddyPress.org

Opened 16 years ago

Closed 16 years ago

#454 closed defect (bug) (fixed)

insecure event handling / no nonce

Reported by: shawnkhall's profile shawnkhall Owned by:
Milestone: Priority: critical
Severity: Version:
Component: Keywords: nonce, security
Cc: djpaul@…

Description

Many actions have no security checks in place to ensure it's truly a user-initiated action.

For example, the following URLs, if included as the src for images within a blog entry could pretty much screw up any BP-enabled site. Assuming the group names and such actually exist (and that's not something difficult to find out).

/groups/groupname/admin/manage-members/ban/4
/groups/groupname/admin/manage-members/unban/4
/groups/groupname/admin/manage-members/promote/4

These are a little more obscure to work with, but not impossible to munge. Instead of making someone (like the admin) "add-friend" you, you can send THEM the invite, and then push an acceptance if you can get them to visit any user-crafted content.

/members/jimmy/friends/requests/accept/16
/members/jimmy/friends/requests/reject/16

Want to make someone accept your group invitation?

/members/jimmy/groups/invites/accept/3
/members/jimmy/groups/invites/reject/3

Of course, that's not really necessary if it's an open group. The following specific addresses are EXTREMELY easy to push. Imagine someone editing a template that gives CSS changes, and using:

p{background:url(exploitpath);}

...with one of these:
/groups/groupname/join
/groups/groupname/leave-group/yes

If you're making them leave, may as well add a "ban", too, and those are preserved even after the account is gone - in case they try to come back. Oh, and be sure to use the same method to "promote" yourself first, just in case they're an administrator or a moderator.

Finally, maybe just dump everything on someones wire? You'll need several, but that shouldn't be difficult.

/members/jimmy/wire/delete/7

Change History (3)

#1 @DJPaul
16 years ago

  • Cc djpaul@… added

#2 @apeatling
16 years ago

Great catch, adding wp_nonce_url to all actions.

#3 @apeatling
16 years ago

  • Resolution set to fixed
  • Status changed from new to closed

Fixed in r1032

Note: See TracTickets for help on using tickets.