#8404 closed defect (bug) (fixed)
Html code injection buddypress.org
Reported by: | zeldatea | Owned by: | johnjamesjacoby |
---|---|---|---|
Milestone: | 6.4.0 | Priority: | high |
Severity: | minor | Version: | |
Component: | BuddyPress.org Sites | Keywords: | has-patch |
Cc: |
Description
Hello.
I found small bug on my profile page. I don't think that it's maybe security bug.
It's only broke my page. But not another users.
Go to the my profile on buddypress.org
Edit profile and in the field: About me or WordPress Origin Story and insert code :
<span style="background-color:dodgerblue;color:white;padding:3000000px;border:30px solid red">Текст</span>
Update profile and you can see stored simple html code injection.
Example on my page profile :
https://buddypress.org/members/zeldatea/profile/
How to use this? Hard question. Right now I don't see a way to use this.
I often see such bugs in different SMS with the span tag. As an example .. if this is possible on the forum, then using the span tag you can not only deface the page, but also spoil a large topic and prevent users from communicating and reading in this topic.
But on the forum buddypress.org it's don't works.
The Best Regards!
Vincent
Attachments (1)
Change History (6)
#2
@
4 years ago
- Component changed from Core to BuddyPress.org Sites
- Milestone changed from Awaiting Review to BuddyPress.org Sites
- Owner set to johnjamesjacoby
- Version 6.3.0 deleted
#3
@
4 years ago
- Keywords has-patch added
- Milestone changed from BuddyPress.org Sites to 6.4.0
- Priority changed from normal to high
- Severity changed from normal to minor
- Status changed from new to accepted
Hello @zeldatea,
Thanks for alerting us to your findings. Unfortunately, the public Trac is not the place to report security concerns, because it makes it easy for others to publicly exploit things before our team has an opportunity to fix them.
Please use HackerOne in the future: http://hackerone.com/wordpress
In addition, it's against the WordPress.org rules to run penetration tests on the live sites. Leaving live pages defaced could allow others to reverse engineer what you've left behind.
Specific to this issue, I've traced it back to #5625, and it actually appears to be working as intended at the time, though I suspect that the consequences you've discovered were simply not considered at the time.
@imath has patched this in a way that I am signing off on. It could be considered a backwards compatibility break, but in this instance I believe it's more important to be safe than flexible, simply due to the vandalism that users could cause with it remaining as-is or similar.
Patches & commits imminent.
Thank you again2 @zeldatea and @imath.
Hmm..there is we have too html..Here we have more options, because we have access to the input tag and forms.
Test tags form and input.