[buddypress-trac] [BuddyPress Trac] #8404: Html code injection buddypress.org
buddypress-trac
noreply at wordpress.org
Fri Nov 27 15:37:48 UTC 2020
#8404: Html code injection buddypress.org
----------------------------------+------------------------------
Reporter: zeldatea | Owner: johnjamesjacoby
Type: defect (bug) | Status: accepted
Priority: high | Milestone: 6.4.0
Component: BuddyPress.org Sites | Version:
Severity: minor | Resolution:
Keywords: has-patch |
----------------------------------+------------------------------
Changes (by johnjamesjacoby):
* keywords: => has-patch
* priority: normal => high
* status: new => accepted
* severity: normal => minor
* milestone: BuddyPress.org Sites => 6.4.0
Comment:
Hello @zeldatea,
Thanks for alerting us to your findings. Unfortunately, the public Trac is
not the place to report security concerns, because it makes it easy for
others to publicly exploit things before our team has an opportunity to
fix them.
Please use HackerOne in the future: http://hackerone.com/wordpress
In addition, it's against the WordPress.org rules to run penetration tests
on the live sites. Leaving live pages defaced could allow others to
reverse engineer what you've left behind.
Specific to this issue, I've traced it back to #5625, and it actually
appears to be working as intended at the time, though I suspect that the
consequences you've discovered were simply not considered at the time.
@imath has patched this in a way that I am signing off on. It could be
considered a backwards compatibility break, but in this instance I believe
it's more important to be safe than flexible, simply due to the vandalism
that users could cause with it remaining as-is or similar.
Patches & commits imminent.
Thank you again2 @zeldatea and @imath.
--
Ticket URL: <https://buddypress.trac.wordpress.org/ticket/8404#comment:3>
BuddyPress Trac <http://buddypress.org/>
BuddyPress Trac
More information about the buddypress-trac
mailing list