BTW, I already have a pending patch that will fix the issue with password reset on all apps. Password reset will require email confirmation. I have been lazy and have not included the patch yet.
On Dec 16, 11:10 am, Yarko Tymciurak <[email protected]> wrote: > On Dec 15, 2:47 pm, Julio <[email protected]> wrote: > > > > > Massimo, > > > I also received the email from a Vietnamese (or chinese, can't > > remember) "security" firm that basically told me the exact same thing > > as you are writing, they basically wanted me to "sign an agreement" > > with them in order to not disclose the "vulnerability" otherwise they > > would disclose to the "appropriate parties [?]", I basically asked > > them to cut the BS and give me a proof of concept and received no > > further response. > > > XML() (along with T()) is used on virtually every string exposed > > publicly, and all mail sending is handled by its own (protected) > > class. > > > I don't know how can a password be sent to the forum admin, since > > password retrieval relies on the original user's email.. > > Julio - > > I think you need to read the posts that Massimo gave: the critique > was that admin is "well known", and anyone can try to sign in as > admin, and have a reset sent to admin - repeatedly.. (e.g. make it > hard to use admin account). > > The recommendation was when setting up to setup a DIFFERENT admin > name. > > If you want, you can make admin (the username) forced to be changed on > first fire-up, or let users just do this. > > This is (I think) what they were talking about. > > Regards, > - Yarko > > > > > Don't get me wrong, I am not saying the app is bug-free but the fact > > that they reference a problem by describing a totally different one > > takes the credibility factor out of my plate.. > > > Thanks! > > Julio > > > On Dec 15, 10:17 am, mdipierro <[email protected]> wrote: > > > > There are a number of security advisory reports online about pyforum, > > > some from reputable sources. > > > > They report two vulnerabilities: > > > > 1) What they refer to as a backdoor but they describe as a different > > > problem: an attacker can force pyforum to email a new password to the > > > administrator (not to the attacker himself). If true this is not a > > > major problem but it may be annoying for the administrator. > > > > 2) There is a XSS vulnerability. If true, is major security issue but > > > it would be trivial to fix using XML(...,sanitize=True). > > > > I have not looked at the source code. > > > Somebody should look into this and fix it or respond to the security > > > advisory. > > > > Massimo > > -- You received this message because you are subscribed to the Google Groups "web2py-users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/web2py?hl=en.
