Custom Fields
Re-Envisioned
Support MB User Profile Big security issue …

This topic contains 4 replies, has 2 voices, and was last updated by  Anh Tran 2 months, 3 weeks ago.

  • Creator
    Topic
  • #14148
    Resolved
    Virgile Bedin
    Participant

    Hello,
    I use mb user profile on one of my site, which is supposed to be a front end form for user profile editing, “front end” , meaning “wild and dangerous” …
    and discovered that you do not verify if the current user submitting the form has the same id as in your hidden input ‘user_id’.
    So if you simply change the value of hidden input name rwmb_form_config[user_id] with any other id, it saves the meta values on this other user id without a blink … that is a big big one! you should not at all send this user_id and use it to save the form… i could change the password of another user just by changing user_id to his id…

    i am very found of your plugins and use them since many years, but i must say, you need to improve your security measures on the front end ones…

Viewing 4 replies - 1 through 4 (of 4 total)
  • Author
    Replies
  • #14149

    Anh Tran
    Keymaster

    Hi Virgile, thanks a lot for your feedback. I’ll check and fix the plugin asap!

    To be honest, security is not my strength and I’m still improving it. Thanks for your help!

    #14156

    Virgile Bedin
    Participant

    security is hard to guarantee, specially on wordpress’s front end… the main rule to have in mind would be “never trust data coming from the front end”.

    about, resolving the issue, do you think that if i compare $config[‘user_id’] with wp_get_current_user() ‘ s ID inside your “rwmb_profile_validate” filter and return false if they don’t match would do the trick ?

    #14189

    Anh Tran
    Keymaster

    Fixed in the version 1.3.0. I see that we don’t need the user_id parameter at all, since the form is only for the current user.

    #15912

    Anh Tran
    Keymaster

    FYI: the latest version brings back this parameter to the shortcode while not revealing it in the HTML.

Viewing 4 replies - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.