Comments on: BBpress XSS vulnerability http://www.dragoslungu.com/2007/06/07/bbpress-xss-vulnerability/ Security Tools and Tips Thu, 20 Nov 2008 16:01:16 +0000 http://wordpress.org/?v=2.2.2 By: Sam Bauers http://www.dragoslungu.com/2007/06/07/bbpress-xss-vulnerability/#comment-251 Sam Bauers Thu, 21 Jun 2007 01:52:54 +0000 http://www.dragoslungu.com/2007/06/07/bbpress-xss-vulnerability/#comment-251 This has been fixed in version 0.8.2.1 of bbPress. Back to zero vulnerabilities. This has been fixed in version 0.8.2.1 of bbPress.

Back to zero vulnerabilities.

]]> By: Dragos Lungu http://www.dragoslungu.com/2007/06/07/bbpress-xss-vulnerability/#comment-132 Dragos Lungu Mon, 11 Jun 2007 13:03:23 +0000 http://www.dragoslungu.com/2007/06/07/bbpress-xss-vulnerability/#comment-132 @Jordan Yes, the referral check was the big show stopper for a 0 day announcement :) However, validating the $re variable takes only one line of code just like it's done with the user login : $user_login = user_sanitize ( @$_POST['user_login'] ); @Jordan
Yes, the referral check was the big show stopper for a 0 day announcement :)
However, validating the $re variable takes only one line of code just like it’s done with the user login :
$user_login = user_sanitize ( @$_POST[’user_login’] );

]]> By: Jordan http://www.dragoslungu.com/2007/06/07/bbpress-xss-vulnerability/#comment-130 Jordan Mon, 11 Jun 2007 11:03:58 +0000 http://www.dragoslungu.com/2007/06/07/bbpress-xss-vulnerability/#comment-130 Still, the fact that they are doing referer checking somewhat mitigates the attack. Sure, there's a couple of hacks around it, but generally speaking it makes actually implementing this attack in the wild much more difficult than it would have otherwise. Defense in depth, right? Still, the fact that they are doing referer checking somewhat mitigates the attack. Sure, there’s a couple of hacks around it, but generally speaking it makes actually implementing this attack in the wild much more difficult than it would have otherwise. Defense in depth, right?

]]> By: Ory Segal http://www.dragoslungu.com/2007/06/07/bbpress-xss-vulnerability/#comment-119 Ory Segal Sun, 10 Jun 2007 11:58:58 +0000 http://www.dragoslungu.com/2007/06/07/bbpress-xss-vulnerability/#comment-119 http://blog.watchfire.com/wfblog/2007/06/a_few_blurbs.html http://blog.watchfire.com/wfblog/2007/06/a_few_blurbs.html

]]> By: Top 10 Open Source Forums - 12 Months of Vulnerabilities | Dragos Lungu Dot Com http://www.dragoslungu.com/2007/06/07/bbpress-xss-vulnerability/#comment-97 Top 10 Open Source Forums - 12 Months of Vulnerabilities | Dragos Lungu Dot Com Thu, 07 Jun 2007 11:06:24 +0000 http://www.dragoslungu.com/2007/06/07/bbpress-xss-vulnerability/#comment-97 [...] : BBpress XSS Vulnerability Beehive : [...] […] : BBpress XSS Vulnerability Beehive : […]

]]>