Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Try Vanilla Forums Cloud product

In this Discussion

Vanilla 2.6 is here! It includes security fixes and requires PHP 7.0. We have therefore ALSO released Vanilla 2.5.2 with security patches if you are still on PHP 5.6 to give you additional time to upgrade.

Limited XSS flaw in 2.1 - simple workaround

LincLinc Director of DevelopmentDetroit Vanilla Staff

In Vanilla 2.1, it may be possible for a user to get Javascript to run on their own profile page IF:

  1. You are using the Profile Extender addon AND...
  2. You have a field precisely named Twitter or Google+

If you are NOT using Profile Extender or simply do not have any fields with those names, you have no issue and do not need to take any action.

The workaround is to name those fields anything else until 2.1.1 is released. The names must be an exact string match on one of the 3 names above for the exploit to be open. Simply adding an underscore or a number on the end of the field label would mitigate it entirely.

To do this, go to Profile Fields in your Dashboard and click "Edit" on the field you wish to change the name of. If you do not have a Profile Fields section in your Dashboard, you are definitely NOT effected by this issue and need take no further action.

Because this flaw has a very small scope with an easy workaround and 2.1.1 is already scheduled for August, we're not expediting the 2.1.1 release further to address it. Please simply make the change above as needed.

Shadowdarehgtonight

Comments

Sign In or Register to comment.