On Dec 15, 2:47 pm, Julio <[email protected]> wrote: > Massimo, > > I also received the email from a Vietnamese (or chinese, can't > remember) "security" firm that basically told me the exact same thing > as you are writing, they basically wanted me to "sign an agreement" > with them in order to not disclose the "vulnerability" otherwise they > would disclose to the "appropriate parties [?]", I basically asked > them to cut the BS and give me a proof of concept and received no > further response. > > XML() (along with T()) is used on virtually every string exposed > publicly, and all mail sending is handled by its own (protected) > class. > > I don't know how can a password be sent to the forum admin, since > password retrieval relies on the original user's email..
Julio - I think you need to read the posts that Massimo gave: the critique was that admin is "well known", and anyone can try to sign in as admin, and have a reset sent to admin - repeatedly.. (e.g. make it hard to use admin account). The recommendation was when setting up to setup a DIFFERENT admin name. If you want, you can make admin (the username) forced to be changed on first fire-up, or let users just do this. This is (I think) what they were talking about. Regards, - Yarko > > Don't get me wrong, I am not saying the app is bug-free but the fact > that they reference a problem by describing a totally different one > takes the credibility factor out of my plate.. > > Thanks! > Julio > > On Dec 15, 10:17 am, mdipierro <[email protected]> wrote: > > > > > There are a number of security advisory reports online about pyforum, > > some from reputable sources. > > > They report two vulnerabilities: > > > 1) What they refer to as a backdoor but they describe as a different > > problem: an attacker can force pyforum to email a new password to the > > administrator (not to the attacker himself). If true this is not a > > major problem but it may be annoying for the administrator. > > > 2) There is a XSS vulnerability. If true, is major security issue but > > it would be trivial to fix using XML(...,sanitize=True). > > > I have not looked at the source code. > > Somebody should look into this and fix it or respond to the security > > advisory. > > > Massimo -- You received this message because you are subscribed to the Google Groups "web2py-users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/web2py?hl=en.
