[buddypress-trac] [BuddyPress] #2329: Security problem: Join private/hidden groups by manipulating the URL with nonce

buddypress-trac at lists.automattic.com buddypress-trac at lists.automattic.com
Fri Apr 23 00:13:22 UTC 2010


#2329: Security problem: Join private/hidden groups by manipulating the URL with
nonce
----------------------+-----------------------------------------------------
 Reporter:  gottowik  |       Owner:                         
     Type:  defect    |      Status:  new                    
 Priority:  critical  |   Milestone:  1.2.4                  
Component:  Core      |    Keywords:  has-patch needs-testing
----------------------+-----------------------------------------------------

Comment(by boonebgorges):

 Tested, but it doesn't seem to work. Turns out that group joining (as
 opposed to group invitation accepting, which wpmuguru's patch addresses)
 isn't even checked against the nonce. I'll fix that, but I'll post it in
 an enhancement ticket.

 For this fix, it seemed appropriate to check to see if the group being
 joined is not public, and if so to check whether the current user has a
 pending invitation to the group, otherwise to throw an error. Patch
 attached.

-- 
Ticket URL: <http://trac.buddypress.org/ticket/2329#comment:3>
BuddyPress <http://buddypress.org/>
BuddyPress


More information about the buddypress-trac mailing list