9 Comments

  1. John James Jacoby

    This vulnerability was a bugger to fix correctly. Thanks for the coverage here, Jeff.

    Report

  2. Stephen

    Buddypress has bbpress files included, though buddypress mentions installing bbpress yourself. I’ve removed buddypress for the time being since it was installed on inactive sites, but will this be a problem with buddypress too? The files included are obviously older.

    Report

    • John James Jacoby

      Without trying to be too cryptic, and without letting cats out of bags, a similar (but different) bug is being worked on right now for a few other projects, including non-WordPress ones that relied on a similar regular expression for identifying linkable usernames.

      The line between being informative and being responsible is a hard one to walk, but bbPress was the easiest to fix, so out it went.

      Report

      • Stephen

        I understand, even the slightest hint at times gives the bad guys ideas. With the weirdest things I find in my server logs at times, I wish I understood the things hackers leave behind (things like \x97\xA9hghV\ as a small example and I feel I should know how to decode it).

        Gets frustrating when I want to utilize everything WP but every other week something security related stops me in my tracks, as I don’t want a new responsibility of putting user data at risk, even if having things in place that should keep the data safe.

        Report

  3. alessandra rossi

    Happy to read it, I’m a bb new user.
    I’ll share the message :)

    Report

  4. Erik D. Slater

    This vulnerability was a bugger to fix correctly

    “bugger” … “bug” … see what I did there, right? Tough crowd :-)

    On a completely serious note …

    Is there any timeline on fixing the issue where forum posts which require login access are included in the forum search results WITHOUT needing to log in?

    Report

    • John James Jacoby

      Do you know if there’s a trac ticket for this issue? If you can link me to it, I can respond there. If there isn’t one, let’s find a way to chat more about what the issue is and we can make a new issue together.

      The way you’ve described the issue, makes it sound like it’s by design: content within a private forum should stay as private as we can keep it. If there’s a bigger issue, let’s figure it out! :)

      Report

      • Erik D. Slater

        Thanks for the quick reply :-)

        I just sent you a LinkedIn invite.

        I’m sure I read something somewhere (would have been several months ago now) that this was a known issue … and that it was part of the 2.8.x roadmap. Could be wrong though.

        I’d post an example here, but the irony would be too much :-)

        Report

Comments are closed.

%d bloggers like this: