[buddypress-trac] [BuddyPress Trac] #6504: Messages viewable to any logged out visitor
buddypress-trac
noreply at wordpress.org
Mon Jun 15 13:05:57 UTC 2015
#6504: Messages viewable to any logged out visitor
-----------------------------------+--------------------
Reporter: CodeMonkeyBanana | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: 2.3.2
Component: Component - Messaging | Version:
Severity: blocker | Resolution:
Keywords: has-patch |
-----------------------------------+--------------------
Changes (by boonebgorges):
* severity: major => blocker
* milestone: Awaiting Review => 2.3.2
Comment:
> In the future, let's treat issues like this as security issues.
+1. In the future, please send reports of this nature to
security at wordpress.org.
Replying to [comment:6 sbrajesh]:
> To be honest, There is a loophole. Won't be posting anything here
though.
Confirmed. There is a way to spoof the user ID even when logged in, though
it's very much not obvious. We need a couple different kinds of hardening
here.
--
Ticket URL: <https://buddypress.trac.wordpress.org/ticket/6504#comment:11>
BuddyPress Trac <http://buddypress.org/>
BuddyPress Trac
More information about the buddypress-trac
mailing list