Invite buddy security issue

[Hssarth]

If you go into Tools -> Invite Buddy and generate a link on a server without a password, it generates a link with the Server Admin password that the server created on it's first run.

Tested on: 3.0.0-beta36 [Build: 12815], Windows 7 (x64), with server version 3.0.0-beta31-pre [Build: 13600]
Windows 7 (x64)

[maggy]

Did you log on to the server using the admin password at all prior to using the Invite Buddy window?

[Hssarth]

Yeah. It seems as though it's using whatever password you've got in the box on connection -- regardless of if it's valid or not. If you leave it blank, it won't generate a password in the URL. If you use a bogus password, it will insert that instead.

[dante696]

But this is no bug.

Your client takes the passowrd you have used before.
It's comparable with this situation: You connect to a server and you fail on it's server password.
What now?
You have to ask someone for a password. So someone gives you the password and now you know 2 things. You know the address and the password for the server.
So now you are a security risk too as you call this here. You know 2 things about the server as long nobody changes the password, when you are on the server.

The invite buddy link does exactly the same thing, the difference is, it is clickable. Nothing more.
It does not know the server password when ...
..it was changed and the client has no new password set.
..you only have the permission to ignore the server password.
..you enter a wrong password into the dialog

If you really wan't to hide your server password, you need to assign b_virtualserver_join_ignore_password to eeveryone or to your group.

What happens with users, that never have connected before?
Let them connect once to yur server, without giving out your password. They will fail, but now they are saved in the database and you can assign permission or groups to them.
Open Permissions > List all client, to find their databse ID or unique ID.