Comments on: Top 10 Open Source Forums - 12 Months of Vulnerabilities http://www.dragoslungu.com/2007/05/30/top-10-open-source-bulletin-boards-12-months-of-vulnerabilities/ Security Tools and Tips Fri, 21 Nov 2008 19:59:15 +0000 http://wordpress.org/?v=2.2.2 By: » links for 2008-05-16 | Paul Cowles http://www.dragoslungu.com/2007/05/30/top-10-open-source-bulletin-boards-12-months-of-vulnerabilities/#comment-54398 » links for 2008-05-16 | Paul Cowles Tue, 03 Jun 2008 00:17:35 +0000 http://www.dragoslungu.com/2007/05/30/top-10-open-source-bulletin-boards-12-months-of-vulnerabilities/#comment-54398 [...] Top 10 Open Source Forums - 12 Months of Vulnerabilities | Dragos Lungu Dot Com (tags: opensource forums) [...] […] Top 10 Open Source Forums - 12 Months of Vulnerabilities | Dragos Lungu Dot Com (tags: opensource forums) […]

]]> By: Dragos Lungu http://www.dragoslungu.com/2007/05/30/top-10-open-source-bulletin-boards-12-months-of-vulnerabilities/#comment-133 Dragos Lungu Mon, 11 Jun 2007 14:43:05 +0000 http://www.dragoslungu.com/2007/05/30/top-10-open-source-bulletin-boards-12-months-of-vulnerabilities/#comment-133 Thanks dre, I will test some of these apps pretty soon and I'll post the results. As Ory pointed out, there are no "Zero vulnerability" applications out there; sometimes it's just harder to find those bugs :) Thanks dre, I will test some of these apps pretty soon and I’ll post the results. As Ory pointed out, there are no “Zero vulnerability” applications out there; sometimes it’s just harder to find those bugs :)

]]> By: dre http://www.dragoslungu.com/2007/05/30/top-10-open-source-bulletin-boards-12-months-of-vulnerabilities/#comment-126 dre Sun, 10 Jun 2007 22:06:00 +0000 http://www.dragoslungu.com/2007/05/30/top-10-open-source-bulletin-boards-12-months-of-vulnerabilities/#comment-126 OWASP runs vBulliten (this costs money btw), but then again - it also runs Wordpress for blogs and MediaWiki for the main site and these aren't exactly sure web applications. Andrew van der Stock (of OWASP fame) wrote his own secure forum software as well: http://www.ultimabb.com/ PunBB, SMF (Simple Machines), and Vanilla also have very good reputations for free forum software. For web-anything, I normally suggest JSPWiki (or something very similar) fronted by mod_security. I'd like to see JSPWiki or something very similar re-written in HDIV Struts with proper use of Validator everywhere. The most important aspect is to keep your fourm software up-to-date, especially after known vulnerabilities are released into the public. OWASP runs vBulliten (this costs money btw), but then again - it also runs Wordpress for blogs and MediaWiki for the main site and these aren’t exactly sure web applications.

Andrew van der Stock (of OWASP fame) wrote his own secure forum software as well: http://www.ultimabb.com/

PunBB, SMF (Simple Machines), and Vanilla also have very good reputations for free forum software.

For web-anything, I normally suggest JSPWiki (or something very similar) fronted by mod_security. I’d like to see JSPWiki or something very similar re-written in HDIV Struts with proper use of Validator everywhere.

The most important aspect is to keep your fourm software up-to-date, especially after known vulnerabilities are released into the public.

]]> By: Beehive Zero Vulnerabilities - Myth BUSTED | Dragos Lungu Dot Com http://www.dragoslungu.com/2007/05/30/top-10-open-source-bulletin-boards-12-months-of-vulnerabilities/#comment-122 Beehive Zero Vulnerabilities - Myth BUSTED | Dragos Lungu Dot Com Sun, 10 Jun 2007 14:53:52 +0000 http://www.dragoslungu.com/2007/05/30/top-10-open-source-bulletin-boards-12-months-of-vulnerabilities/#comment-122 [...] gets all the credit for this one and, again, I updated the forum vulnerabilities post [...] […] gets all the credit for this one and, again, I updated the forum vulnerabilities post […]

]]> By: BBpress XSS vulnerability | Dragos Lungu Dot Com http://www.dragoslungu.com/2007/05/30/top-10-open-source-bulletin-boards-12-months-of-vulnerabilities/#comment-96 BBpress XSS vulnerability | Dragos Lungu Dot Com Thu, 07 Jun 2007 11:05:10 +0000 http://www.dragoslungu.com/2007/05/30/top-10-open-source-bulletin-boards-12-months-of-vulnerabilities/#comment-96 [...] Ory Segal pointed out in his comment on the forum vulnerabilities post , the BBpress authentication page (bb-login.php) is home of a XSS [...] […] Ory Segal pointed out in his comment on the forum vulnerabilities post , the BBpress authentication page (bb-login.php) is home of a XSS […]

]]> By: Ory Segal http://www.dragoslungu.com/2007/05/30/top-10-open-source-bulletin-boards-12-months-of-vulnerabilities/#comment-65 Ory Segal Sun, 03 Jun 2007 13:55:42 +0000 http://www.dragoslungu.com/2007/05/30/top-10-open-source-bulletin-boards-12-months-of-vulnerabilities/#comment-65 I've sent you an email, let me know what you make of it I’ve sent you an email, let me know what you make of it

]]> By: Dragos Lungu http://www.dragoslungu.com/2007/05/30/top-10-open-source-bulletin-boards-12-months-of-vulnerabilities/#comment-61 Dragos Lungu Fri, 01 Jun 2007 11:45:34 +0000 http://www.dragoslungu.com/2007/05/30/top-10-open-source-bulletin-boards-12-months-of-vulnerabilities/#comment-61 Hi Ory, well, the list is based on secunia public vulnerabilities disclosures and I didn't inted to go into 0 day exploits. Now that you made me curious , I looked into bb-login.php and I couldn't find an exploitable XSS :( I'm posting the bb-login.php file : < ?php require('./bb-load.php'); $ref = wp_get_referer(); if ( 0 === strpos($ref, bb_get_option( 'uri' )) ) { $re = $_POST['re'] ? $_POST['re'] : $_GET['re']; if ( 0 !== strpos($re, bb_get_option( 'uri' )) ) $re = $ref . $re; } else $re = bb_get_option('uri'); nocache_headers(); if ( isset( $_REQUEST['logout'] ) ) { bb_logout(); wp_redirect( $re ); exit; } if ( !bb_is_user_logged_in() && !$user = bb_login( @$_POST['user_login'], @$_POST['password'] ) ) { $user_exists = bb_user_exists( @$_POST['user_login'] ); $user_login = user_sanitize ( @$_POST['user_login'] ); $redirect_to = wp_specialchars( $re, 1 ); bb_load_template( 'login.php', array('re', 'user_exists', 'user_login', 'redirect_to', 'ref') ); exit; } wp_redirect( $re ); ?> The user_sanitize function permits only a-z A-Z and 0-9 , so no luck with the username string. The $re parameter is appended to the current URL and although it seems an easy catch for a forceful redirect, the appended string starts with / which sucks . So please let me know which vulnerability have you spotted :) . Please email me (dragos@dragoslungu.com) or post it here and I will edit the post to reflect your findings. I would really appreciate . Hi Ory,
well, the list is based on secunia public vulnerabilities disclosures and I didn’t inted to go into 0 day exploits. Now that you made me curious , I looked into bb-login.php and I couldn’t find an exploitable XSS :(

I’m posting the bb-login.php file :

< ?php
require('./bb-load.php');

$ref = wp_get_referer();

if ( 0 === strpos($ref, bb_get_option( 'uri' )) ) {
$re = $_POST['re'] ? $_POST['re'] : $_GET['re'];
if ( 0 !== strpos($re, bb_get_option( 'uri' )) )
$re = $ref . $re;
} else
$re = bb_get_option('uri');

nocache_headers();

if ( isset( $_REQUEST['logout'] ) ) {
bb_logout();
wp_redirect( $re );
exit;
}

if ( !bb_is_user_logged_in() && !$user = bb_login( @$_POST['user_login'], @$_POST['password'] ) ) {
$user_exists = bb_user_exists( @$_POST['user_login'] );
$user_login = user_sanitize ( @$_POST['user_login'] );
$redirect_to = wp_specialchars( $re, 1 );
bb_load_template( 'login.php', array('re', 'user_exists', 'user_login', 'redirect_to', 'ref') );
exit;
}

wp_redirect( $re );
?>

The user_sanitize function permits only a-z A-Z and 0-9 , so no luck with the username string.
The $re parameter is appended to the current URL and although it seems an easy catch for a forceful redirect, the appended string starts with / which sucks .

So please let me know which vulnerability have you spotted :) . Please email me (dragos@dragoslungu.com) or post it here and I will edit the post to reflect your findings.

I would really appreciate .

]]> By: Ory Segal http://www.dragoslungu.com/2007/05/30/top-10-open-source-bulletin-boards-12-months-of-vulnerabilities/#comment-55 Ory Segal Thu, 31 May 2007 12:59:38 +0000 http://www.dragoslungu.com/2007/05/30/top-10-open-source-bulletin-boards-12-months-of-vulnerabilities/#comment-55 Hello Dragos, Hold the press - from a 2 minutes review of BBPress (which in your research yielded 0 vulnerabilities), I can already tell you that the login page contains a XSS vulnerability. (I am talking about the latest version of BBPress here). Check out the source code of bb-login.php, and you'll figure it out. (it's exploitable). Bottom line, I haven't seen a single BB app lately, that doesn't contain any vulnerabilities :-) Hope this helps, -Ory Segal Hello Dragos,

Hold the press - from a 2 minutes review of BBPress (which in your research yielded 0 vulnerabilities), I can already tell you that the login page contains a XSS vulnerability. (I am talking about the latest version of BBPress here).

Check out the source code of bb-login.php, and you’ll figure it out. (it’s exploitable).
Bottom line, I haven’t seen a single BB app lately, that doesn’t contain any vulnerabilities :-)

Hope this helps,
-Ory Segal

]]>