[PHPBB3-7067] 'Find a member' in memberlist.php shows members even for hidden groups that user is not part of

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Resolution: Fixed
Affects Version/s: 3.0.0
Fix Version/s: 3.0.1
Component/s: Memberlist/viewing profiles
Labels:
None
Environment:
PHP Environment: 5.1.6
Database: MySQL 5.0.27

phpBB Import Key:
http://www.phpbb.com/bugs/all/ticket.php?ticket_id=22805

Description

Here's what I did:

1. Go to memberlist.php
2. Click 'Find a member'
3. Select any group from the Groups dropdown and hit submit. The first time you hit Search, the form is posted and the location in the address bar doesn't change. Hit Search again. The search parameters are sent via a GET request.
4. Modify the location in the address bar, specifically the number after search_group_id= to view the members of any group, even hidden groups that you are not a part of.

Sure, it doesn't show the group name, but that doesn't mean anything. Several inferences can be made based on who are members of what group. For example, we are playing the werewolf game on my forum and using this hack, people can figure out who the wolves and vampires are.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

bug-22805-1.patch
1 kB
08/Mar/08 4:28 AM

Activity

People

Assignee:: Meik Sievertsen [X] (Inactive)

Reporter:: needcaffeine

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 07/Mar/08 12:11 AM

Updated:: 13/Mar/08 2:47 PM

Resolved:: 13/Mar/08 2:47 PM