Skip to:

Opened 15 years ago

Closed 15 years ago

#454 closed defect (bug) (fixed)

insecure event handling / no nonce

Reported by: shawnkhall's profile shawnkhall Owned by:
Milestone: Priority: critical
Severity: Version:
Component: Keywords: nonce, security
Cc: djpaul@…


Many actions have no security checks in place to ensure it's truly a user-initiated action.

For example, the following URLs, if included as the src for images within a blog entry could pretty much screw up any BP-enabled site. Assuming the group names and such actually exist (and that's not something difficult to find out).


These are a little more obscure to work with, but not impossible to munge. Instead of making someone (like the admin) "add-friend" you, you can send THEM the invite, and then push an acceptance if you can get them to visit any user-crafted content.


Want to make someone accept your group invitation?


Of course, that's not really necessary if it's an open group. The following specific addresses are EXTREMELY easy to push. Imagine someone editing a template that gives CSS changes, and using:


...with one of these:

If you're making them leave, may as well add a "ban", too, and those are preserved even after the account is gone - in case they try to come back. Oh, and be sure to use the same method to "promote" yourself first, just in case they're an administrator or a moderator.

Finally, maybe just dump everything on someones wire? You'll need several, but that shouldn't be difficult.


Change History (3)

#1 @DJPaul
15 years ago

  • Cc djpaul@… added

#2 @apeatling
15 years ago

Great catch, adding wp_nonce_url to all actions.

#3 @apeatling
15 years ago

  • Resolution set to fixed
  • Status changed from new to closed

Fixed in r1032

Note: See TracTickets for help on using tickets.