Topic: Critical Exploit: Backdoor Spam Registrations via bbPress · BuddyPress.org

Skip to:: Content; Pages; Categories; Search; Top; Bottom

Critical Exploit: Backdoor Spam Registrations via bbPress

DennisH
Participant

@dennish

10 years, 6 months ago

When using the bbPress plugin for forums spam bots can bypass your registration and create accounts using the template files found here: buddypress/bp-forums/bbpress

Not only can they bypass any anti-spam features (including email conformation), their activity will not show in your normal forums. The spam posts will only show if you follow the default permalink: http://example.com/wp-content/plugins/buddypress/bp-forums/bbpress/ There you will find a vanilla install of bbPress where the spam posts live.

Buddypress should not be used unless you delete these bbPress files. Spam bots can easily create thousands of posts/accounts per minute with nothing stopping them until your server crashes.

Viewing 1 replies (of 1 total)

Boone Gorges
Keymaster

@boonebgorges

10 years, 6 months ago

@dennish The installation of bbPress that is packaged with BuddyPress contains a file at buddypress/bp-forums/bb-config.php. When you attempt to access the bbPress installation directly as you describe, the bbPress bootstrap loads this bb-config.php file, and sends a 403 Forbidden header to the browser. Thus, it should NOT be the case that users are able to create accounts (or do anything else) on these pages. If you are finding otherwise, it could be because your buddypress/bp-forums/bb-config.php file is missing or corrupt.

In the future, when you find what you believe are security issues in BP, please do not post them to the forums, but instead send an email to security@wordpress.org. Thanks.

Viewing 1 replies (of 1 total)

The topic ‘Critical Exploit: Backdoor Spam Registrations via bbPress’ is closed to new replies.