Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Security risk in this plugin? Has this been tested?
Best Answers
-
Todd
Vanilla Staff
We'll see if the author comments here within a few days. Otherwise, I'll remove the plugin.
0 -
Yikes... I use this plugin, but fortunately only my moderators have the permissions to create polls.
I feel like I happened on this thread just by luck... I wish there was a more formal and prominent place where security flaws in the Vanilla ecosystem are announced.
Yeah, someone should change the title of this thread to "SECURITY WARNING for Polls plugin" or something
0
Answers
thanks for mentioning this!
No problem -- the subject line is terrible, don't know what possessed me to write something like that -- should be "SECURITY WARNING".
We'll see if the author comments here within a few days. Otherwise, I'll remove the plugin.
Yikes... I use this plugin, but fortunately only my moderators have the permissions to create polls.
I feel like I happened on this thread just by luck... I wish there was a more formal and prominent place where security flaws in the Vanilla ecosystem are announced.
Yeah, someone should change the title of this thread to "SECURITY WARNING for Polls plugin" or something
here's a suggested change to the code to prevent the xss mentioned in this exploit. http://www.henryhoggard.co.uk/security/vanilla-poll-stored-xss/
here is a suggested security fix to the poll plugin
change around line 85 . class.pollmodule.php <?if (!empty($this->_PollData)):?> <br /> <h5><?= stripslashes($this->_PollData->title)?></h5> <ul class="poll-answers"> <? foreach ($this->_PollAnswers->Result() as $Answer):?> <? $Percentage = floor(($Answer->votes / $this->_PollVotes) * 100)?> <li class="answer-block"> <?= Anchor(stripslashes($Answer->title), 'vanilla/discussion/poll/'.$this->_PollData->id.'/vote/'.$Answer->id)?> to this <?if (!empty($this->_PollData)):?> <br /> <?php $this->_PollData->title = htmlspecialchars($this->_PollData->title);?> <h5><?= stripslashes($this->_PollData->title)?></h5> <ul class="poll-answers"> <? foreach ($this->_PollAnswers->Result() as $Answer):?> <? $Percentage = floor(($Answer->votes / $this->_PollVotes) * 100)?> <li class="answer-block"> <?php $Answer->title = htmlspecialchars($Answer->title);?> <?= Anchor(stripslashes($Answer->title), 'vanilla/discussion/poll/'.$this->_PollData->id.'/vote/'.$Answer->id)?> After the above change the javascript alert box won't pop-up if you enter <script>alert('xss')</script> ``into the title or the answers.I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.
perhaps line 27 above
should be
<?php $Answer->title = Gdn_Format::Text(($Answer->title);?>maybe the title on this thread could also be changed to Security Risk in Poll Plugin
not sure if my mods above are sufficient, so someone could re-write or fix if they want.
I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.
This plugin hasn't been updated since 2010 and there isn't basic sanitation. It should be removed.
grep is your friend.
I've deleted the addon.