Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Drafts are vulnerable & contain very limited XSS #1672

Closed
linc opened this issue Aug 25, 2013 · 0 comments
Closed

Drafts are vulnerable & contain very limited XSS #1672

linc opened this issue Aug 25, 2013 · 0 comments
Milestone
2.1

Comments

@linc
Copy link
Contributor

linc commented Aug 25, 2013

1 - Vanilla Drafts Insecure Permissions Vulnerability

To View other peoples drafts Make a draft on one account and it will make a url like /index.php?p=/post/editdiscussion/0/5 which any member can access.

2 - Drafts XSS (Low risk, only triggers on your own draft page)

Set XSS to the title of discusison Save as Draft View Drafts Page

ALL BRANCHES - backport to 2.0
linc added a commit that referenced this issue Mar 15, 2014
@linc
Drafts: verify ownership in editdiscussion for #1672
0ca4936
@linc linc closed this as completed in 062b041 Mar 15, 2014
linc added a commit that referenced this issue Mar 15, 2014
@linc
Drafts: verify ownership in editdiscussion for #1672
b25abfb
linc added a commit that referenced this issue Mar 15, 2014
@linc
Drafts: filter your draft names, closes #1672
20f6313
linc added a commit that referenced this issue Mar 15, 2014
@linc
Drafts: verify ownership in editdiscussion for #1672
77b0517
linc added a commit that referenced this issue Mar 15, 2014
@linc
Drafts: filter your draft names, closes #1672
e86eb5d
kasperisager added a commit that referenced this issue Mar 17, 2014
@kasperisager
Merge branch 'master' into livequery-deprecation
eb875ac 
* master:
  Drafts: filter your draft names, closes #1672
  Drafts: verify ownership in editdiscussion for #1672
  Module: don't fatal if not visible
  Core: added check for JS library dependency in atmentions. Currently the atwho library only loads within the Vanilla application.
  Bump version to bust js cache.
  Fix logic problem where embed would only embed on connect pages rather than not embed on connect pages.
  Fire an event for a conversation with a specific type.
  Announce fix: array_merge renumbers numeric keys which reversed options on post form
  Version bump for js.
  PromotedContent: typo in helper_functions
  PromotedContent module: typos
  merge core:stage file into master.
  Getty embed: addtl chars allowed
  Getty image support
  Pass strings through T() for translations
kasperisager added a commit that referenced this issue Mar 19, 2014
@kasperisager
Merge branch 'master' into recaptcha-localization
ffb3a78 
* master:
  Fix bug related to theme URLs in the dashboard If a URL is provided in a theme's `about.php` file, it would be output in the dashboard using the `url()` function, with the first argument being the theme name and the second being the URL. That however won't work—there seems to have been a mix up between `url()` and `anchor()`.
  Fix typos in conversation view event.
  Fix issue where type is required when adding a tag from the dashboard.
  Drafts: filter your draft names, closes #1672
  Drafts: verify ownership in editdiscussion for #1672
  Module: don't fatal if not visible
  Core: added check for JS library dependency in atmentions. Currently the atwho library only loads within the Vanilla application.
  Bump version to bust js cache.
  Fix logic problem where embed would only embed on connect pages rather than not embed on connect pages.
  Fire an event for a conversation with a specific type.
  Announce fix: array_merge renumbers numeric keys which reversed options on post form
  Version bump for js.
  PromotedContent: typo in helper_functions
  PromotedContent module: typos
  merge core:stage file into master.
  Getty embed: addtl chars allowed
  Getty image support
  Pass strings through T() for translations
kasperisager added a commit that referenced this issue Mar 26, 2014
@kasperisager
Merge branch 'master' into hotfix/bootstrapcatcountall
1f660b7 
* master: (1039 commits)
  Bump Tagging to 1.8.7
  Tagging:  array was overwriting itself with own indexes in loop, resulting in ['DiscussionID'] becoming a string, which cannot be unset.
  Reset tag cloud list style and padding Future themes should not (and mine already don't) pollute the global scope with `<ul>` and `<ol>` resets. Both for semantic reasons, but also because we need to reconsider our use of lists.
  Tagging: Join discussion tags in the tagging plugin.
  Fix bug related to theme URLs in the dashboard If a URL is provided in a theme's `about.php` file, it would be output in the dashboard using the `url()` function, with the first argument being the theme name and the second being the URL. That however won't work—there seems to have been a mix up between `url()` and `anchor()`.
  Fix typos in conversation view event.
  Fix issue where type is required when adding a tag from the dashboard.
  Drafts: filter your draft names, closes #1672
  Drafts: verify ownership in editdiscussion for #1672
  Module: don't fatal if not visible
  Core: added check for JS library dependency in atmentions. Currently the atwho library only loads within the Vanilla application.
  Bump version to bust js cache.
  Fix logic problem where embed would only embed on connect pages rather than not embed on connect pages.
  Fire an event for a conversation with a specific type.
  Announce fix: array_merge renumbers numeric keys which reversed options on post form
  Version bump for js.
  PromotedContent: typo in helper_functions
  PromotedContent module: typos
  merge core:stage file into master.
  Getty embed: addtl chars allowed
  ...
kasperisager added a commit that referenced this issue Mar 26, 2014
@kasperisager
Merge branch 'master' into feature/promotedtypes
7fd05de 
* master:
  CLeditor: changed background default to white so it doesn't clash with dark backgrounds
  Bump Tagging to 1.8.7
  Tagging:  array was overwriting itself with own indexes in loop, resulting in ['DiscussionID'] becoming a string, which cannot be unset.
  Reset tag cloud list style and padding Future themes should not (and mine already don't) pollute the global scope with `<ul>` and `<ol>` resets. Both for semantic reasons, but also because we need to reconsider our use of lists.
  Tagging: Join discussion tags in the tagging plugin.
  Fix bug related to theme URLs in the dashboard If a URL is provided in a theme's `about.php` file, it would be output in the dashboard using the `url()` function, with the first argument being the theme name and the second being the URL. That however won't work—there seems to have been a mix up between `url()` and `anchor()`.
  Fix typos in conversation view event.
  Fix issue where type is required when adding a tag from the dashboard.
  Drafts: filter your draft names, closes #1672
  Drafts: verify ownership in editdiscussion for #1672
  Module: don't fatal if not visible
  Core: added check for JS library dependency in atmentions. Currently the atwho library only loads within the Vanilla application.
  Bump version to bust js cache.
  Fix logic problem where embed would only embed on connect pages rather than not embed on connect pages.
  Fire an event for a conversation with a specific type.
  Announce fix: array_merge renumbers numeric keys which reversed options on post form
  Version bump for js.
  Getty embed: addtl chars allowed

Conflicts:
	applications/conversations/views/messages/index.php
kasperisager added a commit that referenced this issue Mar 26, 2014
@kasperisager
Merge branch 'master' into feature/reconnect
7fde80c 
* master: (24 commits)
  CLeditor: changed background default to white so it doesn't clash with dark backgrounds
  Bump Tagging to 1.8.7
  Tagging:  array was overwriting itself with own indexes in loop, resulting in ['DiscussionID'] becoming a string, which cannot be unset.
  Reset tag cloud list style and padding Future themes should not (and mine already don't) pollute the global scope with `<ul>` and `<ol>` resets. Both for semantic reasons, but also because we need to reconsider our use of lists.
  Tagging: Join discussion tags in the tagging plugin.
  Fix bug related to theme URLs in the dashboard If a URL is provided in a theme's `about.php` file, it would be output in the dashboard using the `url()` function, with the first argument being the theme name and the second being the URL. That however won't work—there seems to have been a mix up between `url()` and `anchor()`.
  Fix typos in conversation view event.
  Fix issue where type is required when adding a tag from the dashboard.
  Drafts: filter your draft names, closes #1672
  Drafts: verify ownership in editdiscussion for #1672
  Module: don't fatal if not visible
  Core: added check for JS library dependency in atmentions. Currently the atwho library only loads within the Vanilla application.
  Bump version to bust js cache.
  Fix logic problem where embed would only embed on connect pages rather than not embed on connect pages.
  Fire an event for a conversation with a specific type.
  Announce fix: array_merge renumbers numeric keys which reversed options on post form
  Version bump for js.
  PromotedContent: typo in helper_functions
  PromotedContent module: typos
  merge core:stage file into master.
  ...
wilson29thid pushed a commit to 29th/vanilla that referenced this issue Dec 27, 2014
@linc
Drafts: verify ownership in editdiscussion for vanilla#1672
6fa4ff4
wilson29thid pushed a commit to 29th/vanilla that referenced this issue Dec 27, 2014
@linc
Drafts: filter your draft names, closes vanilla#1672
c7be1fa
wilson29thid pushed a commit to 29th/vanilla that referenced this issue Dec 27, 2014
@kasperisager
Merge branch 'master' into recaptcha-localization
c4bc12d 
* master:
  Fix bug related to theme URLs in the dashboard If a URL is provided in a theme's `about.php` file, it would be output in the dashboard using the `url()` function, with the first argument being the theme name and the second being the URL. That however won't work—there seems to have been a mix up between `url()` and `anchor()`.
  Fix typos in conversation view event.
  Fix issue where type is required when adding a tag from the dashboard.
  Drafts: filter your draft names, closes vanilla#1672
  Drafts: verify ownership in editdiscussion for vanilla#1672
  Module: don't fatal if not visible
  Core: added check for JS library dependency in atmentions. Currently the atwho library only loads within the Vanilla application.
  Bump version to bust js cache.
  Fix logic problem where embed would only embed on connect pages rather than not embed on connect pages.
  Fire an event for a conversation with a specific type.
  Announce fix: array_merge renumbers numeric keys which reversed options on post form
  Version bump for js.
  PromotedContent: typo in helper_functions
  PromotedContent module: typos
  merge core:stage file into master.
  Getty embed: addtl chars allowed
  Getty image support
  Pass strings through T() for translations
wilson29thid pushed a commit to 29th/vanilla that referenced this issue Dec 27, 2014
@kasperisager
Merge branch 'master' into feature/promotedtypes
02fc305 
* master:
  CLeditor: changed background default to white so it doesn't clash with dark backgrounds
  Bump Tagging to 1.8.7
  Tagging:  array was overwriting itself with own indexes in loop, resulting in ['DiscussionID'] becoming a string, which cannot be unset.
  Reset tag cloud list style and padding Future themes should not (and mine already don't) pollute the global scope with `<ul>` and `<ol>` resets. Both for semantic reasons, but also because we need to reconsider our use of lists.
  Tagging: Join discussion tags in the tagging plugin.
  Fix bug related to theme URLs in the dashboard If a URL is provided in a theme's `about.php` file, it would be output in the dashboard using the `url()` function, with the first argument being the theme name and the second being the URL. That however won't work—there seems to have been a mix up between `url()` and `anchor()`.
  Fix typos in conversation view event.
  Fix issue where type is required when adding a tag from the dashboard.
  Drafts: filter your draft names, closes vanilla#1672
  Drafts: verify ownership in editdiscussion for vanilla#1672
  Module: don't fatal if not visible
  Core: added check for JS library dependency in atmentions. Currently the atwho library only loads within the Vanilla application.
  Bump version to bust js cache.
  Fix logic problem where embed would only embed on connect pages rather than not embed on connect pages.
  Fire an event for a conversation with a specific type.
  Announce fix: array_merge renumbers numeric keys which reversed options on post form
  Version bump for js.
  Getty embed: addtl chars allowed

Conflicts:
	applications/conversations/views/messages/index.php
wilson29thid pushed a commit to 29th/vanilla that referenced this issue Dec 27, 2014
@kasperisager
Merge branch 'master' into livequery-deprecation
d007eff 
* master:
  Drafts: filter your draft names, closes vanilla#1672
  Drafts: verify ownership in editdiscussion for vanilla#1672
  Module: don't fatal if not visible
  Core: added check for JS library dependency in atmentions. Currently the atwho library only loads within the Vanilla application.
  Bump version to bust js cache.
  Fix logic problem where embed would only embed on connect pages rather than not embed on connect pages.
  Fire an event for a conversation with a specific type.
  Announce fix: array_merge renumbers numeric keys which reversed options on post form
  Version bump for js.
  PromotedContent: typo in helper_functions
  PromotedContent module: typos
  merge core:stage file into master.
  Getty embed: addtl chars allowed
  Getty image support
  Pass strings through T() for translations
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
2.1
Development

No branches or pull requests
1 participant
@linc