group owner can force any user to join group
|Reported by:||cash||Owned by:|
The group edit action has some odd code. It's purpose is to make sure that the creator of a group joins the group. It can be exploited by the group owner to add any user to the group. The primary problem is that the group edit form embeds the user guid in the form as a hidden value which is never a good idea. Better to use the session information.