Security Issue: Members Able to Bypass 'Group Application'

  • Hello,


    Today whilst I was coding an external script for my forum I found a security bug in WBB 4, basically when a user applies for a user group, as an example, Moderator, the group leader gets an e-mail with a link to check the application, however, say I am the user who originally submitted the application, not the group leader, if I do:


    example.com/index.php/UserGroupManageApplicationEdit/1/


    It will allow me to actually look at that application as if I was the group leader, even though I am not, I am the user who submitted the application.


    You can then choose from the drop-down to Accept the application, and to reply to it, when you click Submit it will say Access Denied, but will still approve the application, then when going to that specific application in the future says access denied.

  • Once the user accepts the application, it sets them as Moderator. Giving them all Moderator permissions. Huge security hole.