Skip to:
Content
Pages
Categories
Search
Top
Bottom

Critical Security Issues (Private Posts show in Search Results)


  • Justin
    Participant

    @jhf12

    We have discovered a critical security issue with bbpress that really needs an immediate fix.

    Users submit sensitive information to us using PRIVATE posts – which works fine. However, these posts show as VISIBLE when using the built-in Forum search!

    We had to remove the search function from our forum until this is fixed.

    Quite honestly, I would expect this to be a #1 priority for fixing.

Viewing 5 replies - 1 through 5 (of 5 total)

  • Justin
    Participant

    @jhf12

    Any update on this? (Or a response at least…)


    John James Jacoby
    Keymaster

    @johnjamesjacoby

    What do you mean by “private posts”?

    bbPress doesn’t enable private topics or replies out of the box. What little support it does have, still allows for administrators to search for and see any non-trashed topics or replies.

    Are you using a third party plugin to enable this private posting functionality?

    I don’t really see this as a security vulnerability, so much as you’re using bbPress in a neat way that isn’t quite finished for your needs yet.

    If we need to add support for something that isn’t possible yet, we’re happy to do it. A little bit more information will be helpful so we can suss it out.


    John James Jacoby
    Keymaster

    @johnjamesjacoby

    Any updates here?


    Justin
    Participant

    @jhf12

    Hi John-

    Sorry for the delay. The add-on I was referring to was this:

    http://wordpress.org/plugins/bbpress-private-replies/

    It appears it is not compatible with the current version of bbpress in that the replies that are marked as “private” are in fact viewable by users without Admin permissions if using the Search function.

    I suspect Pippin would be the one to contact for this?


    John James Jacoby
    Keymaster

    @johnjamesjacoby

    I suspect Pippin would be the one to contact for this?

    Exactly correct.

Viewing 5 replies - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.