Security Vulnerability in WPMU Membership?

Hello - on our site we use Membership plugin to have people pay for access to premium content, such as videos, audio files, etc.

Someone emailed our support line saying that they wanted to give us a heads up to a potential security vulnerability. He claimed that by using his premium account login information, he would be able to use an "iFrame" and embed premium content on other websites (circumventing the need for payment). Is this true? If so, is there something we can do to stop this??

Thanks and regards,

AD

  • Timothy Bowers
    • Chief Pigeon

    Hey there.

    Can you give me some information on how they achieve this and where?

    Do you change WP roles for subscription?

    Are they inputting this through some form, like a forum, or a contact form?

    Or is he suggesting he could pass a query string with his credentials in the url to authenticate and take the information for his own site?

    Could you get more information, and an example of how he claims this works?

    Thanks.

  • Patrick
    • Support Monkey

    Hi @Adrian

    You are somewhat correct on that point. :slight_frown:

    I just tested by adding protected content from a test site in an iframe on a page of a different domain. As long as I am logged into the site where the protected content is located, the iframe displays it... but only in the same browser used to login to the site where the protected content is, and it is viewable only by the same user.

    You can test it yourself by viewing this page:
    http://reallywantthis.com/testing/sample-page/

    The content in the iframe on that page is being pulled from this one:
    http://patrickcohen.net/level-1-access-only/

    I am currently logged into the site (in Firefox) where the protected content is located. You will see that the iframe actually displays the protected content page of the source site instead.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.