PriMoThemes — now s2Member® (official notice)

This is now a very OLD forum system. It's in READ-ONLY mode.
All community interaction now occurs at WP Sharks™. See: new forums @ WP Sharks™

security bug?

s2Member Plugin. A Membership plugin for WordPress®.

security bug?

Postby rcherry » May 11th, 2011, 9:49 am

Is this a known security bug with S2Member?

Open registration is set to "No (do NOT allow Open Registration)". However if I request a password reset from the wp-login.php page and then click on the link in the email sent by WordPress the link sends me to a page where the "Register" link shows on the page. From here I can register a new account:

http://~/wp-login.php?action=rp&key=JG1 ... zh3&login=

I don't want open registration, all users will be manually input by the sysadmin. Is there a way to fix the issue described above?
User avatar
rcherry
Registered User
Registered User
 
Posts: 6
Joined: May 11, 2011

Re: security bug?

Postby DJEcon » May 12th, 2011, 4:50 pm

Yes, I think I'm having the same or similar problem, that came to my attention from some of my members. They were choosing "Lost Password" on the Login page, and were repeatedly redirected back there, even after selecting "get new password". They never received an email with a new password.
I've had members use this function before, and never had any complaints.
Any ideas?
User avatar
DJEcon
Registered User
Registered User
 
Posts: 2
Joined: May 12, 2011

Re: security bug?

Postby rcherry » May 12th, 2011, 7:16 pm

Not quite the same issue. When I click on "Lost Password?" then enter my email address I do get an email message with a link to click that takes me to the Login page. The issue is that on this page there is a link to register, even though in s2member admin I chose not to allow open registration. From the register link I can register an account on the site and I don't want to allow registration. All users are to entered by the sysadmin.
User avatar
rcherry
Registered User
Registered User
 
Posts: 6
Joined: May 11, 2011

Re: security bug?

Postby DJEcon » May 12th, 2011, 8:00 pm

Aha . . . it IS different. Seems as though we need help from the PROS. Sorry I don't have a solution for you. I don't have open registration either, but I do have 2 membership levels managed by S2Member and PayPal; those who pay us by check are entered in manually by me. Good luck!
User avatar
DJEcon
Registered User
Registered User
 
Posts: 2
Joined: May 12, 2011

Re: security bug?

Postby rcherry » May 12th, 2011, 8:42 pm

Sorry I don't have an answer for your issue either. I use this for club membership where members are at level 0. No paypal involved.
User avatar
rcherry
Registered User
Registered User
 
Posts: 6
Joined: May 11, 2011

Re: security bug?

Postby Cristián Lávaque » May 13th, 2011, 10:08 pm

rcherry, sorry I took so long to notice your thread, it was in the general WordPress forum instead of the s2Member specific one (the one I monitor). I moved it here now.

I did a little test and, with free registrations off, I am shown the registration link in the login page if I'm logged in as an admin, if I log out, then the link goes away...

This is just weird WordPress behavior, why even show the login page or registration one to a logged in user, not to mention admin, is beyond me.

Does your problem go away if you're not logged in?
Cristián Lávaque http://s2member.net
Is s2Member working for you? Please rate it Image at WordPress.org. Thanks! :)
User avatar
Cristián Lávaque
Developer
Developer
 
Posts: 6836
Joined: December 22, 2010

Re: security bug?

Postby Cristián Lávaque » May 13th, 2011, 10:09 pm

DJEcon, could you start a new thread in this forum about your problem, and give as many details as possible to reproduce your problem? viewforum.php?f=4

Thanks. :)
Cristián Lávaque http://s2member.net
Is s2Member working for you? Please rate it Image at WordPress.org. Thanks! :)
User avatar
Cristián Lávaque
Developer
Developer
 
Posts: 6836
Joined: December 22, 2010

Re: security bug?

Postby rcherry » May 13th, 2011, 10:30 pm

Hey, sorry. Yes the problem does go away when I log out from admin. So sorry to have bothered you with this.

I have another question about redirecting login to the login welcome page for the author role. I will start another thread.
User avatar
rcherry
Registered User
Registered User
 
Posts: 6
Joined: May 11, 2011

Re: security bug?

Postby Cristián Lávaque » May 13th, 2011, 11:54 pm

I'm glad that solved it for you. :)
Cristián Lávaque http://s2member.net
Is s2Member working for you? Please rate it Image at WordPress.org. Thanks! :)
User avatar
Cristián Lávaque
Developer
Developer
 
Posts: 6836
Joined: December 22, 2010


Return to s2Member Plugin

Who is online

Users browsing this forum: Bing [Bot], Google [Bot] and 0 guests

cron