Skip to:
Content
Pages
Categories
Search
Top
Bottom

!Security Risk! – forum posts are “promiscuous.” Even private posts are not private.

Viewing 14 replies - 1 through 14 (of 14 total)
  • Avatar of Hugo
    Hugo
    Moderator

    @hnla

    This is similar to an issue I found and have an open ‘Critical’ ticket on.

    If you go to your account and then activity > friends you are able to view updates/comments made by a friend who is a member of a hidden group but which you are not, what is worse is that not only can you read content made to a group that you should not be able to read but you can also use the ‘reply’ to add a comment that will then appear in the hidden group.

    I’m afraid that for me hidden groups are no such thing and represent a real issue if people use them believing them to be hidden and private in nature.

    To date I have had little response on this, the ticket is still open and but for the very kind help of Boone, who helped or rather provided a interim hack to hide the activity altogether, there feels as though there is not a huge deal of concern over an issue of this nature when Andy dropped into the forum thread I raised on the issue it was simply to tick me off for incorrectly referring to hidden groups as ‘private hidden’ – Sorry Andy just thought it may have merited a little more concern than nomenclature issues :-)

    Avatar of 3sixty
    3sixty
    Participant

    @3sixty

    “you are able to view updates/comments made by a friend who is a member of a hidden group … not only can you read content made to a group that you should not be able to read but you can also use the ‘reply’ to add a comment”

    ACK! Are you serious? What is the trac #?

    Avatar of Hugo
    Hugo
    Moderator

    @hnla

    Avatar of 3sixty
    3sixty
    Participant

    @3sixty

    OK, that trac ticket looks well cared-for. However, I agree that one should be a 1.2.4 milestone item rather than 1.3… hidden and private groups really should not be used without that fix. Will it moved up to 1.2.4?

    Avatar of Hugo
    Hugo
    Moderator

    @hnla

    Well cared for? yes guess it was but I’m still concerned that it generated no other interest or was that simply that the milestone was set to far in the future?

    No hidden groups shouldn’t be used period until such time as this issue is correctly dealt with, hacks worry me used to cure this sort of problem. however given that Boone looked into this I’m pretty happy the fix is a fairly safe short term fix.

    As you spotted I questioned whether or not the milestone should have been moved up? to 1.2.4 but it was a question unanswered, I placed it in 1.3 as I wasn’t sure where it ought to have been placed but asked the question upon creation and notification in original forum thread.

    Avatar of 3sixty
    3sixty
    Participant

    @3sixty

    woop! updates:

    1. I changed the milestone for your bug report to 1.2.3 and added a link back to this thread so the rationale can be seen
    2. JJJ has patched the ‘promiscuous’ bug already!!!! I have not had a free moment to test yet: http://trac.buddypress.org/attachment/ticket/2343/forum_id_check.patch

    Avatar of Hugo
    Hugo
    Moderator

    @hnla

    Wow :o thanks 3sixty for moving it up, maybe I was being too respectful should have changed it myself :)

    And thanks JJJ for the quick patch to #2343 Can you also look at #2293 if you’re not already.

    Avatar of John James Jacoby
    John James Jacoby
    Keymaster

    @johnjamesjacoby

    All over it. :)

    Avatar of Miko
    Miko
    Participant

    @mikosoft

    I am having the same issue… I’m not a super techie so can someone clarify whether there is some way around this now? I am using 1.2.8 and WP 3.1

    Members are able to comment on so-called private forums. They appear in the normal flow of posts, but a further glitch: when you click their name you don’t go to their profile, you get redirected to the site homepage.

    Avatar of Paul Gibbs
    Paul Gibbs
    Keymaster

    @djpaul

    Not aware of any current issues regarding this. We have fixed a situation where when a private group’s member could favourite an item, which then any other site member could view that single item by going to the group member’s profile and viewin their favourites. This is going to become BuddyPress 1.2.9 this weekend.

    If you think you’ve found an issue, please consider any conflicts with other plugins (or by using any theme other than BP-Default) and give clear instructions how to recreate.

    Avatar of Hugo
    Hugo
    Moderator

    @hnla

    This was an issue but it was attended to with a workaround by Boone with a little help from me ( well I discovered it :) ) it predates the favorite issue and shouldn’t be apparent but it’s a while since I looked.

    Avatar of peeld
    peeld
    Participant

    @peeld

    I am using BP 1.5.1 and am having this exact issue – is it still an issue or am I missing something? Private groups still populate the ‘my friends’ activity feed. Nonmembers can see the activity of their ‘friends’ in private groups in the activity feed. I’ve disabled the ‘all members’ tab in the activity feed because of this issue, so I can’t currently comment on whether private groups are showing up in the ‘all members’ filter.

    THANKS! I’m running a paid membership site so this is a biggie :(

    Avatar of peeld
    peeld
    Participant

    @peeld

    BTW I tried to PM Boone Gorges about this and I can’t post any updates here at buddypress.org for some reason…

    Avatar of midsummermagic1111
    midsummermagic1111
    Member

    @mandyostermeier

    Same issue. Can see hidden group activity on profile pages… Aye!

Viewing 14 replies - 1 through 14 (of 14 total)

You must be logged in to reply to this topic.