phpBB • Free and Open Source Forum Software

RSS Facebook Twitter

Bug tracker

This ticket has been moved to our new tracker. Open Ticket PHPBB3-7067 now.

'Find a member' in memberlist.php shows members even for hidden groups that user is not part of (fix completed in vcs)

Here's what I did:

1. Go to memberlist.php
2. Click 'Find a member'
3. Select any group from the Groups dropdown and hit submit. The first time you hit Search, the form is posted and the location in the address bar doesn't change. Hit Search again. The search parameters are sent via a GET request.
4. Modify the location in the address bar, specifically the number after search_group_id= to view the members of any group, even hidden groups that you are not a part of.

Sure, it doesn't show the group name, but that doesn't mean anything. Several inferences can be made based on who are members of what group. For example, we are playing the werewolf game on my forum and using this hack, people can figure out who the wolves and vampires are.

Comments / History

Posted by ToonArmy (Development Team Member) on Mar 8th 2008, 04:27

Issue does indeed exist, potential patch against trunk attached.

Code: Select all
Index: memberlist.php
===================================================================
--- memberlist.php   (revision 8425)
+++ memberlist.php   (working copy)
@@ -1238,6 +1238,8 @@
          $group_selected = request_var('search_group_id', 0);
          $s_group_select = '<option value="0"' . ((!$group_selected) ? ' selected="selected"' : '') . '>&nbsp;</option>';
 
+         $group_ids = array();
+
          if ($auth->acl_gets('a_group', 'a_groupadd', 'a_groupdel'))
          {
             $sql = 'SELECT group_id, group_name, group_type
@@ -1261,10 +1263,16 @@
 
          while ($row = $db->sql_fetchrow($result))
          {
+            $group_ids[] = $row['group_id'];
             $s_group_select .= '<option value="' . $row['group_id'] . '"' . (($group_selected == $row['group_id']) ? ' selected="selected"' : '') . '>' . (($row['group_type'] == GROUP_SPECIAL) ? $user->lang['G_' . $row['group_name']] : $row['group_name']) . '</option>';
          }
          $db->sql_freeresult($result);
 
+         if ($group_selected !== 0 && !in_array($group_selected, $group_ids))
+         {
+            trigger_error('NO_GROUP');
+         }
+
          $template->assign_vars(array(
             'USERNAME'   => $username,
             'EMAIL'      => $email,

Posted by ToonArmy (Development Team Member) on Mar 8th 2008, 04:28

doh!
bug-22805-1.patch (1.11 KB)

Posted by needcaffeine on Mar 8th 2008, 04:46

That works. Thank you very much for the prompt response.

Assigned ticket to user "Acyd Burn"

Action performed by Acyd Burn (Server Manager) on Mar 13th 2008, 14:47

Changed ticket status from "New" to "Fix completed in SVN"

Action performed by Acyd Burn (Server Manager) on Mar 13th 2008, 14:47

Linked ticket with changeset: r8429

Action performed by Anonymous (I am too lazy to register) on Mar 13th 2008, 14:47

Ticket details

  • Ticket ID: 22805
  • Project: phpBB 3.0.x
  • Status: Fix completed in VCS
  • Severity: Uncategorised/normal
  • Component: Memberlist/viewing profiles
  • Project version: 3.0.0
  • PHP version: 5.1.6
  • Database: MySQL 5.0.27
  • Assigned to: Acyd Burn
  • Reported by: needcaffeine (Send PM)
  • Reporter's tickets: List all tickets
  • Reported on: Mar 7th 2008, 00:11

Related SVN changesets

Advertisements

 BlueHost.comWeb Hosting UKHostMonsterReseller Web Hosting UKFastDomain HostingAdvertise on phpBB.com