Security hole allows users to view private information

wpd - January 9, 2006 - 00:59

Project:	Profile Pages
Version:	5.x-1.x-dev
Component:	Code
Category:	bug report
Priority:	critical
Assigned:	jrbeeman
Status:	closed

Jump to:

Most recent comment

There are two security holes in this module.

The module does not respect the access control rules for view profiles.
The CVS version does not respect the permissions of the profile fields. Fields marked as private can be viewed by anyone including anonymous users. The module should only show profile fields with profile_fields.visibility = 3.

» Login or register to post comments

#1

UnderDesign - February 7, 2006 - 23:54

Is anyone planning to fix this?

Login or register to post comments

#2

jrbeeman - October 22, 2007 - 22:39

Version:	HEAD	» 5.x-1.x-dev
Assigned to:	Anonymous	» jrbeeman
Status:	active	» fixed

Fixed in 5.x-dev branch.

Login or register to post comments

#3

jrbeeman - October 22, 2007 - 22:43

Status:

fixed

» closed

Login or register to post comments

Drupal is a registered trademark of Dries Buytaert.