Security Problem – UserPro Forums https://forum.userproplugin.com/forums/topic/security-problem/feed/ Mon, 13 May 2024 16:11:15 +0000 https://bbpress.org/?v=2.6.2 en-US https://forum.userproplugin.com/forums/topic/security-problem/#post-27629 <![CDATA[Security Problem]]> https://forum.userproplugin.com/forums/topic/security-problem/#post-27629 Thu, 13 Mar 2014 15:37:26 +0000 Dario Lo Giudice If you do <a href=”#” class=”userpro-button secondary userpro-follow notfollowing” data-follow-text=”Follow” data-unfollow-text=”Unfollow” data-following-text=”Following” data-follow-to=”1″ data-follow-from=”119″>
data-follow-from editing your id and pressing Follow

You can add follower to anyone!

]]> https://forum.userproplugin.com/forums/topic/security-problem/#post-27638 <![CDATA[Reply To: Security Problem]]> https://forum.userproplugin.com/forums/topic/security-problem/#post-27638 Thu, 13 Mar 2014 16:41:17 +0000 andy999 Really great catch!

Just tested this out and I can indeed ‘fake’ a ‘follow’ from one user to another.

This should really be processed with ajax nonce or something?

]]> https://forum.userproplugin.com/forums/topic/security-problem/#post-27680 <![CDATA[Reply To: Security Problem]]> https://forum.userproplugin.com/forums/topic/security-problem/#post-27680 Thu, 13 Mar 2014 22:14:41 +0000 admin But this is only processed via ajax. How would you edit the html?

]]> https://forum.userproplugin.com/forums/topic/security-problem/#post-27693 <![CDATA[Reply To: Security Problem]]> https://forum.userproplugin.com/forums/topic/security-problem/#post-27693 Thu, 13 Mar 2014 22:48:35 +0000 andy999 You can edit in the html to change for example this:-

To this

Then the user with the ID of 2 will will be following that user instead of the current logged in user.

Is data-follow-from set by using something like get_current_user_id?

Of course to exploit this someone needs to know the user ID of people they want to make follow them, but it’s still possible.

]]> https://forum.userproplugin.com/forums/topic/security-problem/#post-27695 <![CDATA[Reply To: Security Problem]]> https://forum.userproplugin.com/forums/topic/security-problem/#post-27695 Thu, 13 Mar 2014 22:55:27 +0000 Dario Lo Giudice I’ve solved, and sending to you a solution

]]> https://forum.userproplugin.com/forums/topic/security-problem/#post-27760 <![CDATA[Reply To: Security Problem]]> https://forum.userproplugin.com/forums/topic/security-problem/#post-27760 Fri, 14 Mar 2014 11:42:39 +0000 admin Ok thanks Dario, I am eager to see it. 🙂

]]>