Child pages
  • [security] The "u.profile" usage in templates can expose too much data [5.2.2-B1]
Skip to end of metadata
Go to start of metadata
STRIDEInformation Disclosure
Damage potential0
Reproducibility10
Exploitability5
Affected users5
Discoverability0
DREAD Score4
5.1.xYes
RPIYes & No
Quote0.5h

The "u.profile" PrefixSpecial is designed to be used on "Public Profile" page only. This works like this:

  • create the "/public_profile.tpl" template
  • place <inp2:u.profile_Field name="Email"/> tag on it
  • open the "/public_profile.html?user_id=X" URL ("X" is ID of existing user)

This works flawlessly, because in "advanced" theme the Public Profile template is created in a way, that:

  • don't display any user info by default
  • each user needs to manually specify which fields he/she wants to be shown on Public Profile page

There is also a fallback code, that when "user_id=X" isn't specified in URL uses ID of user, that is currently logged-in. This can create wrong impression, that "u.profile" PrefixSpecial can also be used for creating "user profile editing" pages. When used like this each such page would show any user data (in inputs) using ID given in URL.

Solution

In the "UsersEventHandler:getPassedID" method, when "profile" Special is used and no "user_id" parameter is given in URL show "404 Not Found" page.

Quote: 0.5h

Related Tasks