Skip to:
Content
Pages
Categories
Search
Top
Bottom

This malicious behavior of BuddyPress is a serious security risk

  • @abooster

    Participant

    There is a feature in WordPress that’s very useful for a blog owner who administers his/her own blog, but that same feature presented to the user who is NOT a site admin is downright malicious and exposes the site owner to a serious security risk or at least a serious and even more costly privacy risk.
    BuddyPress and bbPress are both guilty of doing just that.

    But the interesting thing is:
    The administrators of BuddyPress.org apparently do have a brain because they’ve made sure that this giant security/privacy hole is closed on this bbPress forum here.

    So, WHY THEN ARE THEY EXPOSING every other normal BuddyPress and bbPress user to that malicious behavior of BuddyPress and bbPress???
    WHY???

    That’s what I wanna know.

    Oh, you wanna know what’s that malicious behavior/security risk that BuddyPress and bbPress is exposing you to?
    Easy!
    Go to your own installation of bbPress, create a new topic/post and while creating it highlight a word and click that “insert link” button you see in the top row!
    Does it ring a bell?

    In case you are very slow, lemme ring the bell for you here:

    First, you need to open your eyes. That’s quite important.
    Listening to the bell alone isn’t gonna help you.

    Secondly, take a look at that “Or link to existing content” thingy and explore the list that appears below!
    See how it lists ALL OF YOUR PAGES including the secret thank-you pages with content that is supposed to be visible ONLY TO PEOPLE WHO HAVE PAID FOR THE PRODUCT!
    As well as all of your test pages and other secret/private pages that you don’t want anyone to have access to.

    And in case you don’t think that’s a good idea, you are not alone.
    The admins of BuddyPress.org don’t think that’s a good idea either.
    That’s why on this website, on this bbPress forum here they have removed that security/privacy threat!

    That’s right! If you try the “insert link” feature in this forum here, you’ll immediately notice that this malicious “Or link to existing content” feature has been disabled.
    It’s not suggesting any of the internal pages on BuddyPress.org here.

    GOOD THINKING!
    And it’s good to know that at least the admins of BuddyPress.org do have a brain.

    Now, in a bbPress forum you could sort of “fix” this issue by making your forum extremely inconvenient for your users.
    Just go to your forum settings and uncheck “Add toolbar & buttons to textareas to help with HTML formatting”.

    But is that something you really want to do???

    Do you really want your forum appear as if was coded in 1997?
    Do you really want to deprive all normal forum users of being able to format their posts?
    And even users who know HTML, would they want to type HTML markup when posting in a forum?

    But hey, while bbPress offers at least a 1997-style kill switch to switch off that malicious behavior of bbPress, BuddyPress does NOT offer such switch at all.

    So, if, for example, you have something like BuddyPress Docs installed (a very helpful plugin by the way), then you’ll find yourself facing the same damn problem!

    Now for my final question to the admins of BuddyPress.org:
    Do you know what negligence is?

    You are guilty of negligence because while having protected your own site with some custom coding, you are exposing all other people using your software to a serious security/privacy risk!

    FIX IT!
    I want people to be able to easily format my forum posts and BuddyPress posts (using TinyMCE) WITHOUT exposing my private pages!
    Otherwise I might just as well publish my admin password on my home page.

    WHY THE HELL is the custom code that you have implemented on this site here (and on WordPress.org to protect your sites from malicious attacks) is not part of the core BuddyPress code???????

    P.S.
    I couldn’t keep this post any shorter because when I see such a tremendous amount of stupidity (or negligence in this case) it just drives me mad.

Viewing 7 replies - 1 through 7 (of 7 total)
  • @shanebp

    Moderator

    Thanks for your concern.

    The responsible way to report a security issue is to:

    1. Tell WP about it

    2. Open a ticket here – using the same user/pw you use for these forums.

    @djsteveb

    Participant

    @abooster – I found a similar issue in regards to uploaded pictures and videos some time ago. It really disturbed me that it was trivial to see other people’s uploaded media within buddypress / wp -multisite.

    I found at the time role scoper had a method to limit the permissions there and fix this issue on one install for me – it has since transformed into ‘press permit core’

    I never bothere3d to report this, as it seemed like I’d report it to bp and it would get the whole ‘it’s not bp, it’s wp – or it’s rtmedia’s plugin problem’ – then I’d probably report it to rtmedia – and it would get a whole – thats the way bp and wp works – and although we were multi site compatible, we are not responsible for how permissions within those setups work..

    and so, it’s really a problem for the bp community, but more so for those users who sign up assuming that we have good security practices like big social networks. I am guessing issues like these run afoul of the eu data privacy and protection laws, but I’m not there and don’t know enough about them.

    So I just put in my terms that this is all beta software and not to post anything you don’t want exposed – there is not way any of this stuff is secure and everything could inadvertently be exposed one day even without a hack attempt.

    sucks but that’s about all i can do as a user, not an expert of php or anything wp / bp / etc.

    thanks for mentioning another similar issue that I had never considered – I think I had seen something like this when logged in as super admin, had not considered it may also show for non-super-admins – this sucks.

    @djsteveb

    Participant

    what I used to fix some of these permissions issues with a bp / multi-site setup – https://wordpress.org/plugins/press-permit-core/ – not sure if this will work on the other issues mentioned – and not sure how to set things up, as this plugin had pulled in the old settings that I made with the role scoper system some time ago.

    @abooster

    Participant

    @shanebp Thanks for pointing me in the right direction.
    Those are the kind of links I’ve been looking for but couldn’t immediately find the right place to post. So, this forum seemed like the next best thing.

    Oh, and just to set the record straight:
    It is NOT irresponsible of me to post and vent about this particular issue in a public forum.
    It is irresponsible of WordPress to keep this hole open despite having fixed it for their own sites!
    THAT’S what’s irresponsible here!
    Not posting about an issue that WordPress is well aware of.

    In fact, I hope that a bit of public exposure will set fire to the idiot’s asses who are responsible for this gross negligence. Gross negligence can invoke criminal charges and this case here sure does seem like it might be such a case. I feel no pity for people who commit such gross negligence.

    @abooster

    Participant

    @djsteveb Thank you, my friend, for pointing me to Press Permit Core!
    It sure does look like the kind of thing I was initially looking for.
    And yes, if I would have found it, I probably wouldn’t have posted anything here either.
    I really hope I’ll be able to close this hole using Press Permit Core.
    But it is utterly idiotic for WP to *knowingly* leave such a hole open and require users to use a third-party plugin to fix their security/privacy hole.

    Going to test Press Permit Core now!

    P.S.
    After checking it out, I can say that while Press Permit Core appears to be a potentially very useful plugin, it cannot fix the issue at hand.
    But thanks for pointing me to this plugin anyway!

    @djpaul

    Keymaster

    Thank you for getting in contact with the BuddyPress team. Some of the attitudes displayed in this discussion have not been respectful and are not conducive to a productive conversation, so I am going to close this topic for that reason only. If anyone has questions about this moderation action and is prepared to discuss them civily, you can find my contact details on https://profiles.wordpress.org/djpaul/.

    All projects, including bbPress, BuddyPress, and WordPress, appreciate responsible reporting of suspected vulnerabilities. Read this page on the WordPress site for reporting guidelines for all the aforementioned projects: https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/


    @djsteveb
    On the whole, the BuddyPress team enjoys a good working relationship with rtMedia, and we have often discussed issues when it’s vague when the root cause lies. I appreciate that it’s frustrating to be passed from pillar-to-post when you’re trying to get support or report a problem. If you still have the information, I’d encourage you to get in contact with the rtMedia team to start the conversation.

    @johnjamesjacoby

    Keymaster

    Thanks for the post, and thank you everyone that chimed in to alert the OP about the protocol for security concerns. Understanding it’s possible there’s a communication gap here, this topic does also read (to my eyes) as condescending & inflammatory, which is honestly not going to yield a very positive conversation. I think y’all did a great job staying positive, and I for one greatly appreciate that.

    To be clear to anyone else that runs into this topic, what the OP sees is not a BuddyPress or bbPress bug; this is WordPress doing it’s best to show published content from public post types.

    About BuddyPress:
    * Neither BuddyPress nor bbPress modify this core behavior
    * BuddyPress does not use this interface; bbPress does
    * The .org sites have not disabled this, they just do not have any unusual content to leak

    The gist:
    * If plugins allow for private content, it’s up to those plugins to protect it
    * If you create roles with content limitations, it’s up to you to confirm they’re working

    For anyone looking to modify or restrict content that appears in this list, use the wp_link_query_args and wp_link_query filters to do so.

    Here is how WordPress calculates the results in this list. Note that it only uses published posts from public post-types:

    $pts = get_post_types( array( 'public' => true ), 'objects' );
    $pt_names = array_keys( $pts );
    
    $query = array(
    	'post_type' => $pt_names,
    	'suppress_filters' => true,
    	'update_post_term_cache' => false,
    	'update_post_meta_cache' => false,
    	'post_status' => 'publish',
    	'posts_per_page' => 20,
    );
    

    WordPress has a built-in way to calculate privacy scope using 'perm' => 'readable' and even that is not used here (though bbPress does use this in its own loops.) WordPress instead takes a strict position of published public content by default.

    If anything unexpected is appearing here, it is not because of BuddyPress or bbPress, and we are still happy to help anyone discover the source of this in a new & more friendly topic.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘This malicious behavior of BuddyPress is a serious security risk’ is closed to new replies.
Skip to toolbar