Skip to:
Content
Pages
Categories
Search
Top
Bottom

SECURITY WARNING: stop using Private Messaging plugin


  • _ck_
    Participant

    @_ck_

    If you are using the Private Messaging plugin

    by Joshua Hutchins / ardentfrost.rayd.org

    or even Detective’s mod version of it, you need to take it offline immediately.

    There are some very serious, multiple security problems with it.

    If you are running it, your site can easily be hacked.

    Please take this warning seriously, it’s not worth the headache.

    Make sure you delete not only the plugin file

    but the additional files it uses in the bbPress root.

Viewing 16 replies - 26 through 41 (of 41 total)

  • citizenkeith
    Participant

    @citizenkeith

    Ever since adding _ck_’s security update, we’ve been having a lot of problems with undelivered PMs. Last night I tried to send a forum member a PM about five times, and he never received it. After sending, I would scroll down to check my Sent Messages and none of them were there.

    I’m running bbPress 0.9.0.3 with Private Messaging 0.80.


    _ck_
    Participant

    @_ck_

    It’s possible because I was testing it on 1.0 that 1.0 automatically escapes the mysql values passed and that 0.9 does not. I can’t remember.

    Try adding this before the $bbdb->query

    $pmtitle=mysql_real_escape_string($pmtitle);
    $message=mysql_real_escape_string($message);

    and see if it helps or if it just add slashes to your text instead and breaks it.

    It may also be a quote problem but I thought the bbpress pre/post text filters should encode quote or any other problematic characters.


    citizenkeith
    Participant

    @citizenkeith

    That seems to work. We’re still testing it out but I think we’re in the clear.

    That said, I also added Anne’s notification hack, and we’re not getting any notifications.


    _ck_
    Participant

    @_ck_

    If the notification sends any part of the actual message, keep in mind the messages now contain html and may get rejected by spam filters. Other than that, I dunno.

    Also you’d have to send the email notification BEFORE you do the escape if you send the message or title in the message (or save the original to different strings).


    citizenkeith
    Participant

    @citizenkeith

    Anne,

    Can you tell me where specifically to put your email notification hack? I’m not well versed in PHP or coding in general (outside of HTML/CSS). Thanks!

    Hi Citizenkeith, I just saw this now… you’d put the hack at the end of pm_new_message. So my function now looks like this:

    function pm_new_message( $id_receiver, $id_sender, $pmtitle, $message ){
    global $bbdb, $bb_table_prefix;

    $created_on = bb_current_time('mysql');
    $id_receiver = intval($id_receiver);
    $id_sender = intval($id_sender);

    $pmtitle=substr(strip_tags($pmtitle),0,64);
    remove_filter('pre_post', 'post_regulation');
    $message=substr($message,0,2048);
    $message=force_balance_tags($message);
    $message=apply_filters('pre_post',$message,0,0);
    $message=apply_filters('post_text',$message,0);

    $bbdb->query("INSERT INTO ".$bb_table_prefix."privatemessages
    (id_sender, id_receiver, pmtitle, message, created_on)
    VALUES
    ('$id_sender', '$id_receiver', '$pmtitle', '$message','$created_on')");

    $to = bb_get_user_email($id_receiver);
    $pm_link = bb_get_option('uri') . 'message.php?id=' . $bbdb->insert_id;
    $message = __("You have a new private message: %1$s nFrom: %2$s nn%3$s ");
    mail( $to, bb_get_option('name') . ':' . __('Private Message'),
    sprintf( $message, $pmtitle, get_user_name($id_sender), $pm_link ),
    'From: ' . bb_get_option('from_email')
    );

    }


    Michael3185
    Member

    @michael3185

    I’m using the PM plugin by Nightgunner5 – is it ok, or is it a risk as well?

    Thanks.


    _ck_
    Participant

    @_ck_

    While I have not reviewed Nightgunner’s code, that version is a completely rewrite so I suspect it avoids the pitfalls of the original version and is probably safe to use.


    Michael3185
    Member

    @michael3185

    Cheers _ck_


    circulartrend
    Member

    @circulartrend

    Just want to make sure I did it correctly, so with this new code that CK re-wrote….how much do you replace?

    I assume just the function from

    function pm_new_message( $id_receiver, $id_sender, $pmtitle, $message ){

    }

    You replace just that section to the } with the CK rewrite?

    PS thanks for this, security issue=bad


    Olaf Lederer
    Member

    @finalwebsites

    I removed the PM plugin some time before, personal messages are often a big problem on forums.

    I think a contact form which is send to the “hidden” user email address is a much better solution

    I think a contact form which is send to the “hidden” user email address is a much better solution

    That would indeed be an awesome feature to have.


    jimgozieo
    Member

    @jimgozieo

    Do you know if this problem is resolved? I had the plugin downloaded onto my bbPress forum for me a few days ago and I was not aware of this topic at the time. Is it now safe to use or should I be taking it off?


    Ben L.
    Member

    @nightgunner5

    http://bit.ly/4LJlfj (a graph of the daily downloads) – 18 downloads this week, 6 of which were from today.

    It would benifit the bbPress community as a whole if Matt or MDA (or anyone else with access to the repository) could put up some kind of notice on the Private Messaging plugin page that tells about the security risks.


    Andrea Pernici
    Member

    @andreapernici

    Is now solved ? In the plugin I cannot find that function.

    is it solved? i am afraid now

Viewing 16 replies - 26 through 41 (of 41 total)

You must be logged in to reply to this topic.