!Security Risk! – forum posts are “promiscuous.” Even private posts are not private.
Just posted here:
Forum posts are “promiscuous” and can masquerade as belonging to other forums – even if it is a private forum (probably also a problem with hidden forums).
Here is a working example from testbp.org. Start with this private topic that you do not have rights to view:
Now, replace group name with any existing other group name, such as /baseball/ , and you will now see the private topic:
This example shows how an unauthorized user can have access to private posts they should not be seeing.
You must be logged in to reply to this topic.