I reply to all queries on the forums and via email, once per day, Monday to Friday (not weekends).

If you are new here, please see some information on how to ask for support. Thank you!

*URGENT – SECURITY BUG*

dashed-slug.net Forums General discussion *URGENT – SECURITY BUG*

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • January 29, 2018 at 7:30 am #2349
    Anonymous
    Inactive

    Hi, First of all thank you for such an amazing plugin. I have found a bug that compromises security in this plugin. I am not going to put this out here as it can be misused, could you please provide contact information so I can explain it to your team. Regards.

    January 29, 2018 at 7:53 am #2350
    alexg
    Keymaster

    Hello,

    Thank you for finding this and for reporting it to me.

    You can find my contact email at https://www.dashed-slug.net/contact/

    I will look at it today and if it is indeed a problem I will release a fix ASAP.

    thanks again

    kind regards,
    Alex

    January 30, 2018 at 9:53 am #2351
    alexg
    Keymaster

    Thank you for reporting this. I am posting here for the benefit of anyone else reading this.

    You describe that the get_user_info JSON call divulges user names. This is not a bug, but works as intended and is documented behavior.

    I do intend to replace this API in the future with something that does not divulge user names, but it will be done when I rework the API because it’s an architectural change and is tied to a lot of other things that also need to change.

    For the time being you can disable the “send funds to user” capability from any user roles that you do not wish to be able to see user names. These users will not be able to initiate internal transfers or use the [wallets_move] shortcode, but the deposit/withdrawal functionality will still be there.

    Again thanks for reporting.

  • Author
    Posts
Viewing 3 posts - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.