Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Best Answers

  • fh111fh111 Vanilla Padawan ✭✭
    Answer ✓

    thanks for mentioning this!

  • ToddTodd Chief Product Officer Vanilla Staff
    Answer ✓

    We'll see if the author comments here within a few days. Otherwise, I'll remove the plugin.

  • edited June 2012 Answer ✓

    Yikes... I use this plugin, but fortunately only my moderators have the permissions to create polls.

    I feel like I happened on this thread just by luck... I wish there was a more formal and prominent place where security flaws in the Vanilla ecosystem are announced.

    Yeah, someone should change the title of this thread to "SECURITY WARNING for Polls plugin" or something

Answers

  • fh111fh111 Vanilla Padawan ✭✭
    Answer ✓

    thanks for mentioning this!

  • No problem -- the subject line is terrible, don't know what possessed me to write something like that -- should be "SECURITY WARNING".

  • ToddTodd Chief Product Officer Vanilla Staff
    Answer ✓

    We'll see if the author comments here within a few days. Otherwise, I'll remove the plugin.

  • edited June 2012 Answer ✓

    Yikes... I use this plugin, but fortunately only my moderators have the permissions to create polls.

    I feel like I happened on this thread just by luck... I wish there was a more formal and prominent place where security flaws in the Vanilla ecosystem are announced.

    Yeah, someone should change the title of this thread to "SECURITY WARNING for Polls plugin" or something

  • here's a suggested change to the code to prevent the xss mentioned in this exploit. http://www.henryhoggard.co.uk/security/vanilla-poll-stored-xss/

    here is a suggested security fix to the poll plugin

    change around line 85 .
    
    class.pollmodule.php
    
    
       <?if (!empty($this->_PollData)):?>
           <br />
           <h5><?= stripslashes($this->_PollData->title)?></h5>
           <ul class="poll-answers">
           <? foreach ($this->_PollAnswers->Result() as $Answer):?>
           <? $Percentage =  floor(($Answer->votes / $this->_PollVotes) * 100)?>
           <li class="answer-block">
           <?= Anchor(stripslashes($Answer->title), 'vanilla/discussion/poll/'.$this->_PollData->id.'/vote/'.$Answer->id)?>
    
    
    
    to this
    
    <?if (!empty($this->_PollData)):?>
           <br />
            <?php $this->_PollData->title = htmlspecialchars($this->_PollData->title);?>
           <h5><?= stripslashes($this->_PollData->title)?></h5>
           <ul class="poll-answers">
           <? foreach ($this->_PollAnswers->Result() as $Answer):?>
           <? $Percentage =  floor(($Answer->votes / $this->_PollVotes) * 100)?>
           <li class="answer-block">
           <?php $Answer->title = htmlspecialchars($Answer->title);?>
           <?= Anchor(stripslashes($Answer->title), 'vanilla/discussion/poll/'.$this->_PollData->id.'/vote/'.$Answer->id)?>
    
    
    After the above change the javascript alert box won't pop-up if you enter
    
    <script>alert('xss')</script>  
    
    ``into the title or the answers.
    

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • peregrineperegrine MVP
    edited October 2014

    perhaps line 27 above

    should be

    <?php $Answer->title = Gdn_Format::Text(($Answer->title);?>

    maybe the title on this thread could also be changed to Security Risk in Poll Plugin

    not sure if my mods above are sufficient, so someone could re-write or fix if they want.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • x00x00 MVP
    edited October 2014

    This plugin hasn't been updated since 2010 and there isn't basic sanitation. It should be removed.

    grep is your friend.

  • LincLinc Detroit Admin

    I've deleted the addon.

Sign In or Register to comment.