Development

Interesting, thanks for the report. That's the problem with GET requests for critical actions.

We can probably fix this by requiring a token in the URL just like it's done for the logout link, right?

Yes, that should fix this.

I had a similar issue with my Like mod, I didn't thought this would happen in the core too

https://www.wareziens.net/forum/topic-2 … age-1.html

With a fresh installation, the topic is closed/locked/whatever only if an admin or a moderator visits the infected topic. It not as bad as it seems, but it should be fixed.

Yeah, but how small is the chance that no admin or moderator will ever visit these topics, usually, these people are there to check every topic, so it becomes very easy to exploit this.

Yep. I'll be away until Wednesday, can we coordinate a release for, let's say, next Friday?

Can you review https://github.com/fluxbb/fluxbb/pull/157 please ?

Will do when I get back. I would have preferred to keep this private until next week, to be honest. But oh well, we can't change that anymore...

It's not a critical one, and I'm not sure the repo is visited by the masses.

Franz, any progress on this?

The patch has been reviewed by quy, so it should be ok. I don't have the rights to push it to the repo, sorry.

I'm back. I'll prepare the release in the next days.

"Delete avatar" is vulnerable when image tag is allowed in signatures and viewing a profile with the offending code.

Fixed

Thanks a lot for the pull request!

Sorry for taking so long, I was really busy. I will take care of the release either Monday or Tuesday.

That said, can we agree that we should coordinate security-relevant things like this a bit better in the future, to avoid making them public prematurely:
- A PR should be sent very close before the release. We can review patches in advance.
- @Yannick: We could have coordinated releases (Luna & FluxBB).

I've already issued an update the Friday you proposed to do so, expecting you to do so that day as well.

That's not exactly coordination, eh?

Anyway: do we still need the confirm_referrer() calls where we added the check_csrf() calls? I'd wager no...

Well... you gave the date. I thought you would keep up with that yourself too.

I'd think confirm_referrer is a cheap a convenient protection.

Without it, I think we could call moderate.php?fid=1&stick=8282&csrf_token=XXX from anywhere and not viewtopic only.

In my FluxBB version this vulnerability was closed in 2011
https://fluxbb.org/development/core/tic … 92s3z54944

But you then didn't listen to me and now you don't listen to me.

We didn't want to replace the whole referrer check, which is different.

I speak, you don't want to listen to me.

It is easier for you to add new system of check, adding a new code, than to correct the old.

We don't do it because it is easier, we do it because we think of all the users that would have to manually edit their old files. Sorry if you don't like it.