Skip to:
Content
Pages
Categories
Search
Top
Bottom

Critical Exploit: Backdoor Spam Registrations via bbPress

  • Avatar of DennisH
    DennisH
    Participant

    @dennish

    When using the bbPress plugin for forums spam bots can bypass your registration and create accounts using the template files found here: buddypress/bp-forums/bbpress

    Not only can they bypass any anti-spam features (including email conformation), their activity will not show in your normal forums. The spam posts will only show if you follow the default permalink: http://example.com/wp-content/plugins/buddypress/bp-forums/bbpress/ There you will find a vanilla install of bbPress where the spam posts live.

    Buddypress should not be used unless you delete these bbPress files. Spam bots can easily create thousands of posts/accounts per minute with nothing stopping them until your server crashes.

Viewing 1 replies (of 1 total)
  • Avatar of Boone Gorges
    Boone Gorges
    Keymaster

    @boonebgorges

    @dennish The installation of bbPress that is packaged with BuddyPress contains a file at buddypress/bp-forums/bb-config.php. When you attempt to access the bbPress installation directly as you describe, the bbPress bootstrap loads this bb-config.php file, and sends a 403 Forbidden header to the browser. Thus, it should NOT be the case that users are able to create accounts (or do anything else) on these pages. If you are finding otherwise, it could be because your buddypress/bp-forums/bb-config.php file is missing or corrupt.

    In the future, when you find what you believe are security issues in BP, please do not post them to the forums, but instead send an email to security@wordpress.org. Thanks.

Viewing 1 replies (of 1 total)

The topic ‘Critical Exploit: Backdoor Spam Registrations via bbPress’ is closed to new replies.