Skip to:

Opened 15 years ago

Last modified 5 months ago

#1159 new defect (bug)

XSS XHR Security Violation on SSL/HTTPS.

Reported by: jason_jm's profile Jason_Jm Owned by:
Milestone: Future Release (Legacy) Priority: normal
Severity: major Version:
Component: Front-end Keywords: needs-patch
Cc: nightgunner5@…


XSS XHR Security Violation on SSL/HTTPS.
I understand SSL with the current release is NOT guaranteed yet however when the time comes this should be looked at.

I've flagged this with 'major' severity as it's a security issue and I believe these by default should be above normal.

Ajax triggers XSS security violation in the following browsers:
Chrome (current stable - trunk as of 7.21.2009)
Safari (current stable - trunk as of 7.21.2009)
WebKit (current stable - nightly build as of 7.21.2009)

Browsers that allow ajax to run:
I.E. 6
FireFox 2.X

I.E. 7, 8, 9 :-)

Types of Ajax Actions which this occurs:

  • Favorites add/remove
  • User topic reply delete/undelete Ajax triggers WebKit Browsers and others.

Stack (Latest Stable as of 7.21.2009):
WPMU 2.8.1 >> bbpress 1.0.1 >> Integration Plugin

Additional Notes:

  • You need to define both SSL options in both wp-config, bb-config.
  • You need to edit integration plugin, manually flagging secure=true as secure cookies aren't generated in current version.

Debugging Info:

  • I've only (at this time) debugged upto the xhr.send().
  • Error is caught by jQuery in catch block, with "Security Violation" being the only indicator.
  • Will continue debugging when there is free time.

Forum Post with additional info:

  • Jason Giedymin

Change History (8)

#1 @Jason_Jm
15 years ago

Work around is to remove the class from the span tag. This can be done via jQuery on Document load. This will force plain href linking and bbpress will force redirect back to the page with the changes reflected.

Or you can strip the href from it's wrapping span.

#2 @GautamGupta
14 years ago

  • Keywords needs-patch added; XSS Ajax Security Violation Chrome Webkit Favorites Post Delete Post Undelete removed
  • Version changed from 1.0.1 to 1.0.2

#3 @Nightgunner5
14 years ago

  • Cc nightgunner5@… added

I just looked through the path the code takes to send the XHR, and it should be switching to SSL (the URL is grabbed using a context containing BB_URI_CONTEXT_BB_ADMIN).

#4 @kevinjohngallagher
14 years ago

  • Milestone changed from Future Release to 1.1

#5 @GautamGupta
14 years ago

  • Milestone changed from 1.1 to Future Release

Should wait for now.

#6 @johnjamesjacoby
13 years ago

  • Version changed from 1.0.2 to 1.1-alpha

Moving to 1.1-alpha Version as part of trac triage.

#7 @johnjamesjacoby
13 years ago

  • Milestone changed from Future Release to 1.1
  • Version 1.1-alpha deleted

#8 @johnjamesjacoby
13 years ago

  • Milestone changed from 1.1 to 1.2
Note: See TracTickets for help on using tickets.