[Bb-trac] Re: [bbPress] #874: strip_tags should be replaced with an
enhanced anti-xss function
bbPress
bb-trac at lists.bbpress.org
Tue May 6 07:16:44 GMT 2008
#874: strip_tags should be replaced with an enhanced anti-xss function
-------------------------+--------------------------------------------------
Reporter: _ck_ | Owner:
Type: enhancement | Status: closed
Priority: low | Milestone:
Component: Back-end | Version:
Severity: minor | Resolution: invalid
Keywords: |
-------------------------+--------------------------------------------------
Changes (by mdawaffe):
* status: reopened => closed
* resolution: => invalid
Comment:
It very may well be that there is an XSS or other security bug in bbPress.
This does not appear to be the result of an XSS attack, though. Or at
least, not only an XSS attack.
There is no user generated content below the closing HTML tag, so the
script tag is, as you note, probably directly in the template. That means
that, if it is malicious content, the person who put it there would have
to have had server access.
Also note that there are only 5 users registered on the forums, and all
"look" legitimate. The only anonymously submitted content in bbPress that
I can think of is login/registration and search, both of which appear to
be well escaped.
All the content is from over a year ago, meaning the code is likely old as
well. There have been a few minor security bugs in bbPress in that
timeframe, some of which may have been escalatable.
This is a good find, but seeing one potentially hacked site doesn't point
to a specific bug. I agree bbPress could do with a security review,
though.
Please open specific tickets for specific code bugs.
--
Ticket URL: <http://trac.bbpress.org/ticket/874#comment:4>
bbPress <http://bbpress.org/>
Innovative forum development
More information about the Bb-trac
mailing list