Skip to:
Content

BuddyPress.org

Opened 5 months ago

Closed 5 months ago

#8404 closed defect (bug) (fixed)

Html code injection buddypress.org

Reported by: zeldatea Owned by: johnjamesjacoby
Milestone: 6.4.0 Priority: high
Severity: minor Version:
Component: BuddyPress.org Sites Keywords: has-patch
Cc:

Description

Hello.
I found small bug on my profile page. I don't think that it's maybe security bug.
It's only broke my page. But not another users.

Go to the my profile on buddypress.org

Edit profile and in the field: About me or WordPress Origin Story and insert code :

<span style="background-color:dodgerblue;color:white;padding:3000000px;border:30px solid red">Текст</span>

Update profile and you can see stored simple html code injection.
Example on my page profile :
https://buddypress.org/members/zeldatea/profile/

How to use this? Hard question. Right now I don't see a way to use this.
I often see such bugs in different SMS with the span tag. As an example .. if this is possible on the forum, then using the span tag you can not only deface the page, but also spoil a large topic and prevent users from communicating and reading in this topic.
But on the forum buddypress.org it's don't works.

The Best Regards!

Vincent

https://pentestvincent.blogspot.com/

Attachments (1)

8404.patch (754 bytes) - added by johnjamesjacoby 5 months ago.
From @imath:

Download all attachments as: .zip

Change History (6)

#1 @zeldatea
5 months ago

Hmm..there is we have too html..Here we have more options, because we have access to the input tag and forms.

Test tags form and input.

Please login and password and what you have else:
Username:
Password:

#2 @imath
5 months ago

  • Component changed from Core to BuddyPress.org Sites
  • Milestone changed from Awaiting Review to BuddyPress.org Sites
  • Owner set to johnjamesjacoby
  • Version 6.3.0 deleted

#3 @johnjamesjacoby
5 months ago

  • Keywords has-patch added
  • Milestone changed from BuddyPress.org Sites to 6.4.0
  • Priority changed from normal to high
  • Severity changed from normal to minor
  • Status changed from new to accepted

Hello @zeldatea,

Thanks for alerting us to your findings. Unfortunately, the public Trac is not the place to report security concerns, because it makes it easy for others to publicly exploit things before our team has an opportunity to fix them.

Please use HackerOne in the future: http://hackerone.com/wordpress

In addition, it's against the WordPress.org rules to run penetration tests on the live sites. Leaving live pages defaced could allow others to reverse engineer what you've left behind.

Specific to this issue, I've traced it back to #5625, and it actually appears to be working as intended at the time, though I suspect that the consequences you've discovered were simply not considered at the time.

@imath has patched this in a way that I am signing off on. It could be considered a backwards compatibility break, but in this instance I believe it's more important to be safe than flexible, simply due to the vandalism that users could cause with it remaining as-is or similar.

Patches & commits imminent.

Thank you again2 @zeldatea and @imath.

@johnjamesjacoby
5 months ago

From @imath:

#4 @johnjamesjacoby
5 months ago

In 12806:

XProfile: only allow "style" attributes in richtext fields for capable users

This commit prevents non-capable users from adding style attributes to "span" and "p" elements in their profile fields, which could be used in unintended ways relative to when it was introduced in #5625.

Note that this could be considered a backwards compatibility break. If you are a site owner or developer who relied on this functionality, you will want to use the xprofile_allowed_tags filter to re-enable these attributes.

In trunk for 7.0. See #8404.

#5 @johnjamesjacoby
5 months ago

  • Resolution set to fixed
  • Status changed from accepted to closed

In 12807:

XProfile: only allow "style" attributes in richtext fields for capable users

This commit prevents non-capable users from adding style attributes to "span" and "p" elements in their profile fields, which could be used in unintended ways relative to when it was introduced in #5625.

Note that this could be considered a backwards compatibility break. If you are a site owner or developer who relied on this functionality, you will want to use the xprofile_allowed_tags filter to re-enable these attributes.

In branches/6.0 for 6.4.0. Fixes #8404.

Props imath, zeldatea.

Note: See TracTickets for help on using tickets.