Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

[Github 1711] Vanilla Forum comment integration from any WordPress site, without authentication?

dimilowdimilow New
edited October 2013 in Vanilla 2.0 - 2.8

Hi, I was just trying out Vanilla Forum, and it seems to me that I can just integrate WordPress comment integration with anybody's Vanilla forum, and when I create a new post in my WordPress, it will be appeared in the targeted Vanilla Forum, posted as the "System" user. And I can do this without the permission from the forum owner, is that so? sorry, but it seems to me the latest version of Vanilla Forum works this way. Please let me know, thanks!

Comments

  • I think you might be on to something

    block

    /discussion/embed

    I was never a fan of the scraping method either, it needs to be a proper API or not at all.

    grep is your friend.

  • @x00 said:
    I think you might be on to something

    block

    /discussion/embed

    I was never a fan of the scraping method either, it needs to be a proper API or not at all.

    can you elucidate. I don't use cms or have a forum, but just curious block where and what.
    sounds like a fairly sizeable flaw that was found.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • x00x00 MVP
    edited September 2013

    block

    /discussion/embed

    in your server rules with 403 status code.

    grep is your friend.

  • I think in this case there is no choice but to file an issue. :/

    grep is your friend.

  • there is white list trusted of sites

    /embed/settings

    but this is still not good becuase by default there is no protection

    grep is your friend.

  • LincLinc Admin
    edited September 2013

    By default, embed is disabled entirely. So you'd need to A) Enable embed and B) Not use the whitelist and C) Get specifically targeted by a spammer - I assume this wouldn't scale well as a spam technique because only a minority of Vanilla forums use embed.

    If all of that happened (A+B+C), I conjecture you'd find that whitelist setting pretty quickly.

  • By default, embed is disabled entirely.

    From my tests it is possible, with nothing in config to do embed being enabled, this has nothing to do with embedding the forums, only embedded comments.

    It is possible, from tests. I will try tomorrow with fresh installation, however I have followed the code all the way through, there isn't anything stopping it in 2.0.18.8, and it works for anybody, whose site can be scraped.

    The comment code is in the discussion controller in fact the whitelist don't even apply to this it is to do with the embed/entry controllers an appears to be used to verify redirect ?Target=somewhere, which is a different subject. This is from a grep of TrustedDomains.

    It is simply not employed in anything actually to do with embedding the forum or comments other then the redirection specific.

    grep is your friend.

  • x00x00 MVP
    edited September 2013

    block

    discussions/embed

    and

    discussions/refetchpageInfo

    like so

    go to

    dashboard/routes

    Add Route

    • Route Expression -> ^discussion/(embed|refetchpageinfo)
    • Target -> dashboard/home/permission
    • Type -> Not Authorized (401)

    grep is your friend.

  • @Lincoln, it works without me enable anything. Currently even I've added some sites to the whitelist, sites which are not in the white list still can post new dicussion to the forum. I'm testing this using two different domains - one is WordPress with the WordPress Vanilla Forum integration plugin, another is a fresh install of Vanilla Forum.

  • The whitelist is basically only for Target redirect according to the code.

    grep is your friend.

  • Balls.

  • These thing happen, maybe Mark worked on went away to work on something else, and forgot where he left of.

    Personally if it worth doing it is worth doing properly with an api, rather than whitelist security which is a bit backwards, and isn't explicit enough to make sure is used how the webmaster wants.

    grep is your friend.

  • I like that @Mark hasn't worked on Vanilla in like a year and a half but still gets things blamed on him, lol.

  • Sorry it wasn't blame, I'm saying some of that was authored by him.

    grep is your friend.

Sign In or Register to comment.