Big security issue ...

Virgile Bedin
Home / MB User Profile / Big security issue …

Custom Fields
Re-Envisioned Support MB User Profile Big security issue ...

  • Creator
    Topic
  • April 13, 2019 at 4:53 AM #14148
    Resolved Virgile Bedin
    Participant

    Hello,
    I use mb user profile on one of my site, which is supposed to be a front end form for user profile editing, "front end" , meaning "wild and dangerous" ...
    and discovered that you do not verify if the current user submitting the form has the same id as in your hidden input 'user_id'.
    So if you simply change the value of hidden input name rwmb_form_config[user_id] with any other id, it saves the meta values on this other user id without a blink ... that is a big big one! you should not at all send this user_id and use it to save the form... i could change the password of another user just by changing user_id to his id...

    i am very found of your plugins and use them since many years, but i must say, you need to improve your security measures on the front end ones...

  • Creator
    Topic
Viewing 4 replies - 1 through 4 (of 4 total)
  • Author
    Replies
  • April 13, 2019 at 8:18 AM #14149
    Anh Tran
    Keymaster

    Hi Virgile, thanks a lot for your feedback. I'll check and fix the plugin asap!

    To be honest, security is not my strength and I'm still improving it. Thanks for your help!

    April 13, 2019 at 7:18 PM #14156
    Virgile Bedin
    Participant

    security is hard to guarantee, specially on wordpress's front end... the main rule to have in mind would be "never trust data coming from the front end".

    about, resolving the issue, do you think that if i compare $config['user_id'] with wp_get_current_user() ' s ID inside your "rwmb_profile_validate" filter and return false if they don't match would do the trick ?

    April 17, 2019 at 5:36 PM #14189
    Anh Tran
    Keymaster

    Fixed in the version 1.3.0. I see that we don't need the user_id parameter at all, since the form is only for the current user.

    August 29, 2019 at 5:55 PM #15912
    Anh Tran
    Keymaster

    FYI: the latest version brings back this parameter to the shortcode while not revealing it in the HTML.

  • Author
    Replies
Viewing 4 replies - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.