Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

kPoll css missing? (NOTE k-poll contains a potential security risk.)

This discussion is related to the kPoll addon.
SchryversSchryvers
edited October 2014 in Vanilla 2.0 - 2.8

I'm really new to css and only can change some things in an existing css file,

But how the @#$@$ does the kPoll getting blue, nothing in my theme is blue? The css is almost empty:

And the CSS is:

`.kPollAnswer {
font-weight: bold;
}

.kPollArchive {
float: left;
width: 250px;
min-height: 250px;
text-align: center;
padding-left: 10px;
padding-right: 10px;
}`

Wich is making me crazy cause everything in the poll is blue but there are no color codes in this css? Am i missing something? Really want that blue gone, just a Dark grey under border 1 px and a white option background as i did in paint like above... and dont know if its possible to get the option texts in any color?

Didnt want to ask this, cause im asking 1 2 or maybe 3 things a day is making me crazy, but for this... its late midnight here 02:00am and im busy with getting this poll working from 10.00pm..... so kinda frustrating.

Anyone help me out?

233.PNG 13.6K
Tagged:
«1

Comments

  • peregrineperegrine MVP
    edited October 2014

    have you patched it against xSS exploits. If not, I would avoid using it.

    http://xforce.iss.net/xforce/xfdb/76129

    search for https://www.google.com/search?q=kpoll+xss

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • vrijvlindervrijvlinder Papillon-Sauvage MVP
    edited October 2014

    Yes I know that is cause by the default vanilla style of those fields that the theme you are using does not contain the code to override those. It is not the fault of the plugin.

    I will give you the codes you need to add to your custom.css, edit the colors as you want

            #kPoll .PanelActivity li {
            background: #1b1e21;
            border-bottom: 1px solid #52585d;
            color: #4e565f;
            font-size: 11px;
            font-weight: 700;
            line-height: 1.6;
            padding: 2px 4px;
            }
    
  • peregrineperegrine MVP
    edited October 2014

    SECURITY ISSUE needs to be addressed!!!!! in Vanilla kPoll 1.2

    see http://xforce.iss.net/xforce/xfdb/76129

    Henry Hoggard has discovered a vulnerability in the kPoll plugin for Vanilla Forums, which can be exploited by malicious users to conduct script insertion attacks

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • Thankyou @peregrine @vrijvlinder‌

    so if im understanding it right, when i enable my poll, a hacker can register a account, and then steal my cookie via the kPoll to login as Administrator and hack my website?

    Is this is what gonna happen for sure? Or is there a little chance? Theres no other sidebar voting poll plugin right? It looks awesome now thanks to the css vrijvlinder gave me

    And @vrijvlinder why when im typing your name i thinking of a dutch name, a free butterfly ahaha, hows that?

  • peregrineperegrine MVP
    edited October 2014

    so if im understanding it right, when i enable my poll, a hacker can register a account, and then steal my cookie via the kPoll to login as Administrator and hack my website?

    it simply means that using the plugin you are prone to xss attacks, whatever they may be, depends on the hackers skill :)

    I'm not going to guess the odds or the severity. just warning you.

    personally, if I knew something was insecure I wouldn't use it. Since it could potentially cause grief to all the users visiting forum as well as your forum and personal information potentially collected.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • vrijvlindervrijvlinder Papillon-Sauvage MVP

    The poll accesses the database and that is where the issue may be. But I have not had any issues with it.

    why when im typing your name i thinking of a dutch name, a free butterfly ahaha, hows that?

    Because I am a free butterfly !!!

    Schryvers
  • peregrineperegrine MVP
    edited October 2014

    . edited out

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • SchryversSchryvers
    edited October 2014

    I dont get an alert, it just shows

    <script>alert</script>

    as poll title in text.

    Is that good?

  • vrijvlindervrijvlinder Papillon-Sauvage MVP
    edited October 2014

    Any form can potentially be used for attacks. I was hacked via a subscription plugin on a wordpress site of a friend I am hosting. The plugin was a form where people add their email to subscribe to the blog.

    A hacker added a script which infected every php file with malicious code. This is something not to take lightly.

    Even if it's through the admin panel. The form is not 100% safe. A safer form filters out html tags.

    The biggest issue here with kpoll is that it does not validate the input of the textbox
    so you can add anything even code...

  • So the maker of this lovely plugin is not gonna update it? Its not that big plugin.... a form to get secure doesnt seems to be that hard i think if you know how to code? im a total newby im more a designer, just some basic html and php is the limit for me....

  • vrijvlindervrijvlinder Papillon-Sauvage MVP

    A validation script can be used , let me see if I can come up with a fix to that form.

  • peregrineperegrine MVP
    edited October 2014

    actually on second thought, I could reproduce the issue.

    put this in the title in the dashboard

    <script>alert('bad news')</script>

    then click view and you will see a popup.

    so for sure - you don't want any members but you to create a poll until it's fixed.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

    vrijvlinder
  • peregrineperegrine MVP
    edited October 2014

    you could do something like this everywhere, unless someone has a better idea.

         echo <<<EOT
                        <ul class="PanelActivity">
                        <strong><li>$pollInfo->pollTitle</li></strong>
                        <form id="poll" action="./" method="POST">
        EOT;
    
                        if(!$this->hasVoted()) {    //if the user has NOT voted yet...
    

    to this...

          ?>
                        <ul class="PanelActivity">
                        <strong><li>
                        <?php echo Gdn_Format::Text($pollInfo->pollTitle); ?>
                        </li></strong>
                        <form id="poll" action="./" method="POST">
    
                         <?php
                        if(!$this->hasVoted()) {    //if the user has NOT voted yet...
    

    and change all the displayed output of "user inputted" strings so they are surrounded by Gdn_Format::Text

    so you would need to change...

    $c->pollContent

    and whatever.

    too tedious for me. But it should also use Vanilla forms they way they should be used.

    not your own <form id

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

    vrijvlinderBleistivt
  • peregrineperegrine MVP
    edited October 2014

    hey @linc - Can you put a note in the description -xSS Security Issue in the kpoll plugin, so people can download and try to fix, and still Alert unknowing users not to use at the same time.

    from the description in plugin
    All security patches will be published here immediately

    ironic isn't it.

    and maybe a mod could change title of this thread to kpoll - Security Warning - do not use plugin until security issues fixed.

    yes, it says use at your own risk as a warning. But we know it is a known risk(as minor or major issue may be) , so it would be cool to mention it in the description of plugins where we know there is a problem

    it was reported back in 2012 in the forum , and has never been fixed, at least a note in plugin would be cool.

    same with the poll plugin.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

    vrijvlinder
  • @peregrine @vrijvlinder‌

    I really missing something right here.

    If members cant open a poll, then theres no risk? Me as admin only open polls!

    so for sure - you don't want any members but you to create a poll until it's fixed.

  • LincLinc Detroit Admin

    The appropriate course of action for these issues is to contact the author directly via PM (or email if it is available). I've done this now. If no action is taken, I'll delete the addon.

    peregrine
  • vrijvlindervrijvlinder Papillon-Sauvage MVP

    @Schryvers said:
    peregrine vrijvlinder‌

    I really missing something right here.

    If members cant open a poll, then theres no risk? Me as admin only open polls!

    In theory the risk would be less if only one person has access to the poll settings. But that does not remove the threat only keeps it private.

    Only one person has had this issue. It is the same person who reported on all those sites, and there is no corroboration on any of them.

    That does not mean it is rare, just that it is a possibility.

    @‌Linc , I believe the author was notified back in 2012 when this came up.

    Schryvers
  • LincLinc Detroit Admin

    @vrijvlinder‌ I suspect you are confusing this with the older, unrelated Poll vulnerability; I've deleted that addon now.

  • vrijvlindervrijvlinder Papillon-Sauvage MVP
    edited October 2014

    I was not aware there was an unrelated poll vulnerability ... Only the one with kpoll because it does not validate the text input and one can add script.

  • kPoll should be have only set the permissions for the administrator... If i see it right, then theres no problem, only the administrator can open a poll right?

    So unless theres another sidebar poll, i use kPoll. Love how the css is now thanks to free butterfly @vrijvlinder t

    vrijvlinder
Sign In or Register to comment.