[buddypress-trac] [BuddyPress] #2445: Wordpress Core Ticket #13866 Allows User Impersonation in BuddyPress
buddypress-trac at lists.automattic.com
buddypress-trac at lists.automattic.com
Wed Jun 16 02:25:40 UTC 2010
#2445: Wordpress Core Ticket #13866 Allows User Impersonation in BuddyPress
----------------------+-----------------------------------------------------
Reporter: foxly | Owner:
Type: defect | Status: new
Priority: major | Milestone: 1.3
Component: XProfile | Keywords: spoof, display_name, impersonation, XProfile
----------------------+-----------------------------------------------------
SUMMARY
As outlined in http://core.trac.wordpress.org/ticket/13866 the WordPress
core does not check for duplicate entries in wp_users.display_name
As a result, users can enter any text string they want, including things
like "Admin", "System", or an existing user's login or display name in
Profile->Edit Profile->Name and it will display across the entire BP
installation.
Unfortunately, the "Name" field cannot be disabled in the extended
profiles module, and if a value is present in the field, the system uses
it by default.
TO REPRODUCE
1) Sign up two new users in BuddyPress.
2) Enter "Admin" in the name field for each user, and click "Save"
3) The system now has two new "Admin" users.
Note that this only gives the attacker the *name* "Admin", it does not
give them the same system rights as admin.
The exception is if there is code anywhere in BuddyPress that uses an SQL
statement like "SELECT ID FROM " . CUSTOM_USER_TABLE . " WHERE
display_name = %s".
I've attached a screen capture illustrating the problem.
TO FIX
1) Don't use display_name
2) or, when writing to display_name ensure the written value does not
match the display_name or user_login value for an existing user on the
system.
^F^
--
Ticket URL: <http://trac.buddypress.org/ticket/2445>
BuddyPress <http://buddypress.org/>
BuddyPress
More information about the buddypress-trac
mailing list