kPoll css missing? (NOTE k-poll contains a potential security risk.)

Schryvers

I'm really new to css and only can change some things in an existing css file,

But how the @#$@$ does the kPoll getting blue, nothing in my theme is blue? The css is almost empty:

And the CSS is:

`.kPollAnswer {
font-weight: bold;
}

.kPollArchive {
float: left;
width: 250px;
min-height: 250px;
text-align: center;
padding-left: 10px;
padding-right: 10px;
}`

Wich is making me crazy cause everything in the poll is blue but there are no color codes in this css? Am i missing something? Really want that blue gone, just a Dark grey under border 1 px and a white option background as i did in paint like above... and dont know if its possible to get the option texts in any color?

Didnt want to ask this, cause im asking 1 2 or maybe 3 things a day is making me crazy, but for this... its late midnight here 02:00am and im busy with getting this poll working from 10.00pm..... so kinda frustrating.

Anyone help me out?

peregrine

have you patched it against xSS exploits. If not, I would avoid using it.

http://xforce.iss.net/xforce/xfdb/76129

search for https://www.google.com/search?q=kpoll+xss

vrijvlinder

Yes I know that is cause by the default vanilla style of those fields that the theme you are using does not contain the code to override those. It is not the fault of the plugin.

I will give you the codes you need to add to your custom.css, edit the colors as you want

        #kPoll .PanelActivity li {
        background: #1b1e21;
        border-bottom: 1px solid #52585d;
        color: #4e565f;
        font-size: 11px;
        font-weight: 700;
        line-height: 1.6;
        padding: 2px 4px;
        }

peregrine

SECURITY ISSUE needs to be addressed!!!!! in Vanilla kPoll 1.2

see http://xforce.iss.net/xforce/xfdb/76129

Henry Hoggard has discovered a vulnerability in the kPoll plugin for Vanilla Forums, which can be exploited by malicious users to conduct script insertion attacks

Schryvers

Thankyou @peregrine @vrijvlinder‌

so if im understanding it right, when i enable my poll, a hacker can register a account, and then steal my cookie via the kPoll to login as Administrator and hack my website?

Is this is what gonna happen for sure? Or is there a little chance? Theres no other sidebar voting poll plugin right? It looks awesome now thanks to the css vrijvlinder gave me

And @vrijvlinder why when im typing your name i thinking of a dutch name, a free butterfly ahaha, hows that?

peregrine

so if im understanding it right, when i enable my poll, a hacker can register a account, and then steal my cookie via the kPoll to login as Administrator and hack my website?

it simply means that using the plugin you are prone to xss attacks, whatever they may be, depends on the hackers skill

I'm not going to guess the odds or the severity. just warning you.

personally, if I knew something was insecure I wouldn't use it. Since it could potentially cause grief to all the users visiting forum as well as your forum and personal information potentially collected.

vrijvlinder

The poll accesses the database and that is where the issue may be. But I have not had any issues with it.

why when im typing your name i thinking of a dutch name, a free butterfly ahaha, hows that?

Because I am a free butterfly !!!

peregrine

. edited out

Schryvers

I dont get an alert, it just shows

<script>alert</script>

as poll title in text.

Is that good?

vrijvlinder

Any form can potentially be used for attacks. I was hacked via a subscription plugin on a wordpress site of a friend I am hosting. The plugin was a form where people add their email to subscribe to the blog.

A hacker added a script which infected every php file with malicious code. This is something not to take lightly.

Even if it's through the admin panel. The form is not 100% safe. A safer form filters out html tags.

The biggest issue here with kpoll is that it does not validate the input of the textbox
so you can add anything even code...

Schryvers

So the maker of this lovely plugin is not gonna update it? Its not that big plugin.... a form to get secure doesnt seems to be that hard i think if you know how to code? im a total newby im more a designer, just some basic html and php is the limit for me....

vrijvlinder

A validation script can be used , let me see if I can come up with a fix to that form.

peregrine

actually on second thought, I could reproduce the issue.

put this in the title in the dashboard

<script>alert('bad news')</script>

then click view and you will see a popup.

so for sure - you don't want any members but you to create a poll until it's fixed.

peregrine

you could do something like this everywhere, unless someone has a better idea.

     echo <<<EOT
                    <ul class="PanelActivity">
                    <strong><li>$pollInfo->pollTitle</li></strong>
                    <form id="poll" action="./" method="POST">
    EOT;

                    if(!$this->hasVoted()) {    //if the user has NOT voted yet...

to this...

      ?>
                    <ul class="PanelActivity">
                    <strong><li>
                    <?php echo Gdn_Format::Text($pollInfo->pollTitle); ?>
                    </li></strong>
                    <form id="poll" action="./" method="POST">

                     <?php
                    if(!$this->hasVoted()) {    //if the user has NOT voted yet...

and change all the displayed output of "user inputted" strings so they are surrounded by Gdn_Format::Text

so you would need to change...

$c->pollContent

and whatever.

too tedious for me. But it should also use Vanilla forms they way they should be used.

not your own <form id

peregrine

hey @linc - Can you put a note in the description -xSS Security Issue in the kpoll plugin, so people can download and try to fix, and still Alert unknowing users not to use at the same time.

from the description in plugin
All security patches will be published here immediately

ironic isn't it.

and maybe a mod could change title of this thread to kpoll - Security Warning - do not use plugin until security issues fixed.

yes, it says use at your own risk as a warning. But we know it is a known risk(as minor or major issue may be) , so it would be cool to mention it in the description of plugins where we know there is a problem

it was reported back in 2012 in the forum , and has never been fixed, at least a note in plugin would be cool.

same with the poll plugin.

Schryvers

@peregrine @vrijvlinder‌

I really missing something right here.

If members cant open a poll, then theres no risk? Me as admin only open polls!

so for sure - you don't want any members but you to create a poll until it's fixed.

Linc

The appropriate course of action for these issues is to contact the author directly via PM (or email if it is available). I've done this now. If no action is taken, I'll delete the addon.

vrijvlinder

@Schryvers said:
peregrine vrijvlinder‌

I really missing something right here.

If members cant open a poll, then theres no risk? Me as admin only open polls!

In theory the risk would be less if only one person has access to the poll settings. But that does not remove the threat only keeps it private.

Only one person has had this issue. It is the same person who reported on all those sites, and there is no corroboration on any of them.

That does not mean it is rare, just that it is a possibility.

@‌Linc , I believe the author was notified back in 2012 when this came up.

Linc

@vrijvlinder‌ I suspect you are confusing this with the older, unrelated Poll vulnerability; I've deleted that addon now.

vrijvlinder

I was not aware there was an unrelated poll vulnerability ... Only the one with kpoll because it does not validate the text input and one can add script.

Schryvers

kPoll should be have only set the permissions for the administrator... If i see it right, then theres no problem, only the administrator can open a poll right?

So unless theres another sidebar poll, i use kPoll. Love how the css is now thanks to free butterfly @vrijvlinder t