Vanilla Forums: Community Forums Evolved
Addons Community Documentation Blog Download HostingStart Using Vanilla today

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In with Facebook Sign In with Google Sign In with OpenID Sign In with Twitter
Sign In Register

Categories

In this Discussion

Is anyone concerned about this? Has this been tested?

Best Answers

Answers

  • johnny_njohnny_n newb

    No problem -- the subject line is terrible, don't know what possessed me to write something like that -- should be "SECURITY WARNING".

    Sheilaleafmonster
    Flag Off Topic Insightful 2Awesome LOL
  • peregrineperegrine MVP

    here's a suggested change to the code to prevent the xss mentioned in this exploit. http://www.henryhoggard.co.uk/security/vanilla-poll-stored-xss/

    here is a suggested security fix to the poll plugin

    change around line 85 .

class.pollmodule.php


   <?if (!empty($this->_PollData)):?>
       <br />
       <h5><?= stripslashes($this->_PollData->title)?></h5>
       <ul class="poll-answers">
       <? foreach ($this->_PollAnswers->Result() as $Answer):?>
       <? $Percentage =  floor(($Answer->votes / $this->_PollVotes) * 100)?>
       <li class="answer-block">
       <?= Anchor(stripslashes($Answer->title), 'vanilla/discussion/poll/'.$this->_PollData->id.'/vote/'.$Answer->id)?>



to this

<?if (!empty($this->_PollData)):?>
       <br />
        <?php $this->_PollData->title = htmlspecialchars($this->_PollData->title);?>
       <h5><?= stripslashes($this->_PollData->title)?></h5>
       <ul class="poll-answers">
       <? foreach ($this->_PollAnswers->Result() as $Answer):?>
       <? $Percentage =  floor(($Answer->votes / $this->_PollVotes) * 100)?>
       <li class="answer-block">
       <?php $Answer->title = htmlspecialchars($Answer->title);?>
       <?= Anchor(stripslashes($Answer->title), 'vanilla/discussion/poll/'.$this->_PollData->id.'/vote/'.$Answer->id)?>


After the above change the javascript alert box won't pop-up if you enter

<script>alert('xss')</script>  

``into the title or the answers.

    factoid: Most questions have been previously answered, try the search box first, please provide your Vanilla version Number!

    Peregrine's Addons - donations gladly accepted for "successful solutions" and addons - kind of like tipping a waiter at a restaurant

    Flag Off Topic Insightful Awesome LOL
Sign In or Register to comment.