In the early stage of testing we have just found a security hole in Jomsocial.

Due to the sensitive issue of this security we put the description in the hidden panel below.

We appreciate if you could look into this issue urgently.

HI there.

Are you using our latest 3.1.0.4 version? Some of secruity issues were fixed in our latest version.

if you have checked the admin console, you should see that I am already at the latest version of jomsocial. This security hole is still present.

Hm...I'll ask our developers about this, all secruity holes should be already fixed in latest release.

M Chabbani, to be honest i tried to follow your steps from description, but it's not very detailed, could you maybe elaborate how we can replicate this issue?

thanks. I await your support.

Chris, even after your feedback in other thread to close all modules to registered, this security hole is still present. after clicking on photo
anyone can hack into superuser. This issue is quite serious in JomSocial.

Could you please provide solution on this - or at least provide SQL to remove this empty entry in the DB of the empty photo perhaps?

thanks for your support.

Hi there.

I really understand this's a important matter, this's why I need some detailed steps to replicate this problem, I tried following those from misc info and sadly I wasn't able to reproduce this problem. Could you maybe provide us with some more details? Screenshots of the problem? Video maybe?

Hello M Chabbani,

We have tested the process you describe in your first post and if i have accessed my administrator section of the site then not logged off your process to replicate can be achieved, This is due to the browser session remaining open not because of a security hole.

Please do the following to confirm
1. close all your open browsers so that all browser sessions are closed then log into administrator then explicitly log out (don't just close the tab)
2. Follow the process you explained in your first post
3 when you click on the profile link then add /administrator to the URL you will be taken to the administrator login screen

This is a correct process and we are unable to find any security issue

Thanks Paul. Indeed it was a cache issue. We will have to constantly remind ourselves during heavy changes at this stage will clear the cache every time. thanks agin.