This malicious behavior of BuddyPress is a serious security risk
-
There is a feature in WordPress that’s very useful for a blog owner who administers his/her own blog, but that same feature presented to the user who is NOT a site admin is downright malicious and exposes the site owner to a serious security risk or at least a serious and even more costly privacy risk.
BuddyPress and bbPress are both guilty of doing just that.But the interesting thing is:
The administrators of BuddyPress.org apparently do have a brain because they’ve made sure that this giant security/privacy hole is closed on this bbPress forum here.So, WHY THEN ARE THEY EXPOSING every other normal BuddyPress and bbPress user to that malicious behavior of BuddyPress and bbPress???
WHY???That’s what I wanna know.
Oh, you wanna know what’s that malicious behavior/security risk that BuddyPress and bbPress is exposing you to?
Easy!
Go to your own installation of bbPress, create a new topic/post and while creating it highlight a word and click that “insert link” button you see in the top row!
Does it ring a bell?In case you are very slow, lemme ring the bell for you here:
First, you need to open your eyes. That’s quite important.
Listening to the bell alone isn’t gonna help you.Secondly, take a look at that “Or link to existing content” thingy and explore the list that appears below!
See how it lists ALL OF YOUR PAGES including the secret thank-you pages with content that is supposed to be visible ONLY TO PEOPLE WHO HAVE PAID FOR THE PRODUCT!
As well as all of your test pages and other secret/private pages that you don’t want anyone to have access to.And in case you don’t think that’s a good idea, you are not alone.
The admins of BuddyPress.org don’t think that’s a good idea either.
That’s why on this website, on this bbPress forum here they have removed that security/privacy threat!That’s right! If you try the “insert link” feature in this forum here, you’ll immediately notice that this malicious “Or link to existing content” feature has been disabled.
It’s not suggesting any of the internal pages on BuddyPress.org here.GOOD THINKING!
And it’s good to know that at least the admins of BuddyPress.org do have a brain.Now, in a bbPress forum you could sort of “fix” this issue by making your forum extremely inconvenient for your users.
Just go to your forum settings and uncheck “Add toolbar & buttons to textareas to help with HTML formatting”.But is that something you really want to do???
Do you really want your forum appear as if was coded in 1997?
Do you really want to deprive all normal forum users of being able to format their posts?
And even users who know HTML, would they want to type HTML markup when posting in a forum?But hey, while bbPress offers at least a 1997-style kill switch to switch off that malicious behavior of bbPress, BuddyPress does NOT offer such switch at all.
So, if, for example, you have something like BuddyPress Docs installed (a very helpful plugin by the way), then you’ll find yourself facing the same damn problem!
Now for my final question to the admins of BuddyPress.org:
Do you know what negligence is?You are guilty of negligence because while having protected your own site with some custom coding, you are exposing all other people using your software to a serious security/privacy risk!
FIX IT!
I want people to be able to easily format my forum posts and BuddyPress posts (using TinyMCE) WITHOUT exposing my private pages!
Otherwise I might just as well publish my admin password on my home page.WHY THE HELL is the custom code that you have implemented on this site here (and on WordPress.org to protect your sites from malicious attacks) is not part of the core BuddyPress code???????
P.S.
I couldn’t keep this post any shorter because when I see such a tremendous amount of stupidity (or negligence in this case) it just drives me mad.
- The topic ‘This malicious behavior of BuddyPress is a serious security risk’ is closed to new replies.