If you click on the quotes feed icon of a certain user, say quotes/1/feed you automatically get access to the account of that user, i.e. admin.

the problem is here:

function _quotes_feed_user($uid) {
  global $user;

  $user = ($uid ? user_load(array('uid' => $uid, 'status' => 1)) : $user);
  $result = db_query_range(db_rewrite_sql("SELECT n.nid, nr.title, nr.teaser, n.created, u.name, u.uid FROM {node} n INNER JOIN {node_revisions} nr ON nr.vid = n.vid INNER JOIN {users} u ON u.uid = n.uid WHERE n.status = 1 AND n.type = 'quotes' AND u.uid = %d ORDER BY n.created DESC"), $user->uid, 0, 15);
  node_feed($result, array('title' => t("%name's quotes", array('%name' => ($user->uid ? $user->name : variable_get('anonymous', t('Anonymous'))))), 'link' => url("quotes/$user->uid", NULL, NULL, TRUE)));
}

Basically the admin user data is loaded into the anonymous user variable and after that everything is open. very bad

Comments

jhriggs’s picture

jhriggs commented
Assigned: Unassigned » jhriggs
Status: Active » Fixed

WOW! OK, that was a really nasty one. Good catch, Nashif. Thank you!

It was fallout from the code-style conversion that I did in the 4.7 version. This has been fixed in version 4.7r4 of the quotes module that I just committed to CVS. It should be available for download in a few hours.

nashif’s picture

nashif commented

Thanks for fixing,
I think however this is a flaw in user_load.
It should not allow anon. users to load other users data if they do not have enough access.

Anonymous’s picture

(not verified) commented
Status: Fixed » Closed (fixed)