Download & Extend
Profile Pages » Issues

Security hole allows users to view private information

Posted by wpd on January 9, 2006 at 12:59am
Project:Profile Pages
Version:5.x-1.x-dev
Component:Code
Category:bug report
Priority:critical
Assigned:jrbeeman
Status:closed (fixed)

Issue Summary

There are two security holes in this module.

  • The module does not respect the access control rules for view profiles.
  • The CVS version does not respect the permissions of the profile fields. Fields marked as private can be viewed by anyone including anonymous users. The module should only show profile fields with profile_fields.visibility = 3.
Login or register to post comments

Comments

#1

Posted by The Webmaster Centre on February 7, 2006 at 11:54pm

Is anyone planning to fix this?

#2

Posted by jrbeeman on October 22, 2007 at 10:39pm
Version:master» 5.x-1.x-dev
Assigned to:Anonymous» jrbeeman
Status:active» fixed

Fixed in 5.x-dev branch.

#3

Posted by jrbeeman on October 22, 2007 at 10:43pm
Status:fixed» closed (fixed)