HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Security vulnerability in version 2.0.18.8

2

Comments

  • AdrianAdrian Wandering Spirit Montreal MVP
    edited July 2013

    @x00 sorry, when I tried it, it worked in removing the original thing which is the script alert. My bad for not understanding the preg_replace fully. Thank you for pointing out the right path. I was just trying to do right by everyone to solve it on a Sunday. it's too bad this was not reported directly to the admins of the software rather than placed in the community. But once the cat is out of the bag we are all vulnerable...

    Thank you also for pointing me to the right way to do things.

  • AdrianAdrian Wandering Spirit Montreal MVP
    edited July 2013

    @x00 I get what you are saying about sanitation of output. Your skills are more battle tested, so you may see how to do that. I do know that if this vulnerability was being exploited we would have heard about it sooner. Once it's made public here, as opposed to some random exploit site, we are all at risk. So I think by protecting the inputs, at least for now, is a good thing--but unless one is certain to be clean, I guess the best bet is to disable the flag plugin.

  • x00x00 MVP
    edited July 2013

    No worries, thanks for being helpful.

    This guy with the exploits site is a bit of a sad case from Cardiff university. He could easily have reported in a more direct way, he just wants his 5 minutes of fame.

    I used to do similar stuff to this guy (you have to have some time on your hands), except I gave the company the information too. In some cases they didn't respond appropriately, one case (a well know company), the contractor tried to bribe me, this was an exploit that was open for a number of years and they were aware of it.

    If a company doesn't respond appropriately, continuing to put users financial/personal information at risk, etc. then rightly you should expose it.

    grep is your friend.

    UnderDog
  • it's too bad this was not reported directly to the admins of the software rather than placed in the community. But once the cat is out of the bag we are all vulnerable...

    If this is directed to me, I could not find any place to report security vulnerabilities directly and this has been public for a "long" time anyway. I disagree with reporting it here is getting you at risk, but rather it'd make you feel at risk. Random exploit site or not it is trivial to find and in fact came quite on top when I googled for vanilla forum exploit just to see what was out there.

    50sQuiffUnderDogphreak
  • it wasn’t directed at you @Lolo999

    grep is your friend.

    UnderDogAdrian
  • aeryaery Gtricks Forum in 2.2 :) ✭✭✭

    The authors page http://www.henryhoggard.co.uk/ lists many vulnerabilities.
    Plugin authors should take note.

    There was an error rendering this rich post.

    hgtonightUnderDogAdrian
  • AdrianAdrian Wandering Spirit Montreal MVP

    @lolo999 it was not directed at you--what I meant is once its public, as opposed to being disclosed properly by the finder it makes being hacked that much easier. Thank you for noting it so we could take action :)

    hgtonightUnderDog
  • vrijvlindervrijvlinder Papillon-Sauvage MVP

    well if they want to delete my drafts they are welcome to it lol There is no mass draft delete is there ? so , come and get my drafts !!! Read them first though they have useful tips ;)

    hgtonightperegrineAdrianUnderDog
  • 50sQuiff50sQuiff ✭✭
    edited July 2013

    My hotfix for draft deletion prevention caused a problem with draft auto-deletion upon the posting of a comment. Proper line is:

    if ($Draft && $Draft->InsertUserID !== $Session->UserID) {

    hgtonight
  • @H00j said:
    I have a message thread with Todd, Lincoln, UnderDog dating back to June 2012 where I report all my findings to them, these vulnerabilities and MORE which I did not release publicly were reported on the 14th of May 2013

    I Just don't get it. Why on earth would you ever want to release those vulnerabilities to the forum?

    Enlighten me, educate me, because what do you gain from showing everyone these things?

    There was an error rendering this rich post.

  • I'm glad @H00j made the issues known so I could fix them right away. I'm frankly more concerned about the issues he hasn't disclosed.

  • H00jH00j
    edited July 2013

    @UnderDog said:
    Enlighten me, educate me, because what do you gain from showing everyone these things?

    Please explain, what do you not understand?

    1. I report issues to devs
    2. They confirm issue patched
    3. I release info on it
    
  • @50sQuiff said:
    I'm glad H00j made the issues known so I could fix them right away. I'm frankly more concerned about the issues he hasn't disclosed.

    They have been disclosed to the devs, just not publically, to clarify.

  • phreakphreak Vanilla*APP (White Label) & Vanilla*Skins Shop MVP

    First of all thanx to @H00j: I also stand with releasing vulnerabilities in the community.

    I remember that Joomla had a security thread back in 200something in their forum that helped to avoid addons that weren't secure. What if a MOD would start a thread editing and updating the first post with all information gathered in the answers below.

    And more importantly now... how many vulnerability issues does have the Vanilla core now on what security level. when can we apply an update from the coreteam or how could we gather all the issues and the code fixes.

    • VanillaAPP | iOS & Android App for Vanilla - White label app for Vanilla Forums OS
    • VanillaSkins | Plugins, Themes, Graphics and Custom Development for Vanilla
    aery
  • peregrineperegrine MVP
    edited July 2013

    I'm behind you 100% @adriansonline - your reasoning seems well thought out. especially the random site.

    One would think posting vulnerabilities under the plugin name would be the way to go, if the intent was to help the community. If the intent is to provoke the developers of vanilla, thats a different matter. but many of the vulnerabilities that are pointed out deal with code not written by the vanilla developers, and more than likely someone will step up to the plate to provide a fix on the plugin or users will know they have the option disable until fix is provided by someone.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

    AdrianUnderDog
  • AdrianAdrian Wandering Spirit Montreal MVP
    edited July 2013

    I agree @peregrine, if a plugin is at fault, either place it under the thread, or email the author of the plugin. It's also easy to use the @ symbol in the thread to advise them. The developer should then be allowed to fix-it or remove the add-on if they can't/won't.

    UnderDog
  • @H00j said:
    Sick of people ranting about how I should have reported it to the vendor first when they do not know the situation. I have a message thread with Todd, Lincoln, UnderDog dating back to June 2012 where I report all my findings to them, these vulnerabilities and MORE which I did not release publicly were reported on the 14th of May 2013 , to which he replied

    I don't think there is any issue with this, there is issue with people who post vulnerabilities for kicks without fair warning. There is no issue with people who try to help.

    I also kind of agree on putting some reasonable pressure on a vendor to close the exploit.

    grep is your friend.

Sign In or Register to comment.