Massimo, I also received the email from a Vietnamese (or chinese, can't remember) "security" firm that basically told me the exact same thing as you are writing, they basically wanted me to "sign an agreement" with them in order to not disclose the "vulnerability" otherwise they would disclose to the "appropriate parties [?]", I basically asked them to cut the BS and give me a proof of concept and received no further response.
XML() (along with T()) is used on virtually every string exposed publicly, and all mail sending is handled by its own (protected) class. I don't know how can a password be sent to the forum admin, since password retrieval relies on the original user's email.. Don't get me wrong, I am not saying the app is bug-free but the fact that they reference a problem by describing a totally different one takes the credibility factor out of my plate.. Thanks! Julio On Dec 15, 10:17 am, mdipierro <[email protected]> wrote: > There are a number of security advisory reports online about pyforum, > some from reputable sources. > > They report two vulnerabilities: > > 1) What they refer to as a backdoor but they describe as a different > problem: an attacker can force pyforum to email a new password to the > administrator (not to the attacker himself). If true this is not a > major problem but it may be annoying for the administrator. > > 2) There is a XSS vulnerability. If true, is major security issue but > it would be trivial to fix using XML(...,sanitize=True). > > I have not looked at the source code. > Somebody should look into this and fix it or respond to the security > advisory. > > Massimo -- You received this message because you are subscribed to the Google Groups "web2py-users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/web2py?hl=en.
