Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cross-site scripting vulnerability: MANAGE SUBSCRIPTIONS #431

Closed
brabbins opened this issue Aug 1, 2018 · 14 comments

Comments

Projects
None yet
3 participants
@brabbins
Copy link

commented Aug 1, 2018

Recently we had security audit on one our websites and this plugin showed a cross-site scripting vulnerability. From what I could tell this is happening on the MANAGE SUBSCRIPTIONS/comment-subscriptions page when JS is turned off and in the email input field. I was able to submit script tags and js.

@Reedyseth

This comment has been minimized.

Copy link
Member

commented Aug 2, 2018

Hello @brabbins thank you for your report, StCR has both validation on JS and PHP, so I am not aware of this new report, can you add a detail explanation of how you find the vulnerability ?

Regards.!!

@brabbins

This comment has been minimized.

Copy link
Author

commented Aug 2, 2018

If you would like, I could email you directly.

@Reedyseth

This comment has been minimized.

Copy link
Member

commented Aug 2, 2018

Yes please, reedyseth {at) gmail 'dot' com

@jnorell

This comment has been minimized.

Copy link
Contributor

commented Sep 27, 2018

Did this ever get sorted out?

@jnorell

This comment has been minimized.

Copy link
Contributor

commented Sep 27, 2018

A few minutes of testing indicates no, this has not been fixed.

@brabbins

This comment has been minimized.

Copy link
Author

commented Sep 28, 2018

Unfortunately I have not heard back from the developer for quite sometime.

@jnorell

This comment has been minimized.

Copy link
Contributor

commented Sep 28, 2018

@Reedyseth

This comment has been minimized.

Copy link
Member

commented Sep 28, 2018

HI Guys, sorry that I have not been paying attention to this important matter. I have a development version of the plugin that is very different from the master branch, I will give you an answer to see if this is cover on the dev version.

https://github.com/stcr/subscribe-to-comments-reloaded/tree/development

jnorell added a commit to jnorell/subscribe-to-comments-reloaded that referenced this issue Sep 28, 2018

@jnorell

This comment has been minimized.

Copy link
Contributor

commented Sep 28, 2018

this seems to address the specific issue and at least one other (similar issue with email coming from a cookie rather than form field) and does a little sanity encoding/sanitizing (I think it fixed another issue for me in subscriptions, too :)

@brabbins - thanks for this; if you have any other issues from this or future security audits, please send the info.

@Reedyseth I haven't tried that branch; we're working towards something we can deploy soon, what's the current status of the development branch, at all usable or ?? thanks!

@Reedyseth

This comment has been minimized.

Copy link
Member

commented Sep 28, 2018

towards something we can deploy soon, what's the current status of the development branch, at all usabl

Not usable for jr. developers, it changed a lot from the master branch and it needs some setup.

@jnorell

This comment has been minimized.

Copy link
Contributor

commented Oct 11, 2018

@Reedyseth, in case you didn't see the note above, there is a merge request to fix this issue.

@jnorell

This comment has been minimized.

Copy link
Contributor

commented Nov 23, 2018

@Reedyseth, did you have any questions or concerns with this fix? You might want to push a version update with it, rather than waiting for the development branch to stabilize?

Thanks,
Jesse

@Reedyseth

This comment has been minimized.

Copy link
Member

commented Dec 13, 2018

Hi Guys, the code is already added to the dev version 2f37d33 and I will be releasing the next week.

Best regards.!!

@jnorell

This comment has been minimized.

Copy link
Contributor

commented Dec 13, 2018

Thanks @Reedyseth !

@Reedyseth Reedyseth closed this Dec 21, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.