| 
Welcome, Guest
Joomlapolis Forum
Archives
CB
CB 1.2.1
CB 1.2.1 General Discussion

Link articles to CB Profile
(1 viewing) (1) Guest
  • Page:
  • 1
  • 2

TOPIC: Link articles to CB Profile

Re:Link articles to CB Profile 2 years, 5 months ago #107715

  • meloman
  • meloman
  • OFFLINE
  • Junior Boarder
    Junior Boarder
  • Posts: 20
  • Karma: 2
Very good point!
The topic has been locked.

Re:Link articles to CB Profile 2 years, 5 months ago #107768

  • beat
  • beat
  • ONLINE
  • Administrator
    Administrator
  • Posts: 6655
  • Karma: 321
yvolk wrote:
krileon wrote:

lemur wrote:

The problem was solved by Yuri Volkov (yvcomment).
See:
forum.joomla.org/viewtopic.php?f=473&...p;p=1804749#p1804749

Do not do as instructed in the post. This was done for a reason, security. By reverting what Joomla team has done you just open up the vulnerability again. This is not a resolution to the problem, but creates an even bigger problem.

Very interesting. What a security risk is to show on HTML page some part of the Article (namely "created_by_alias" property) that was just retrieved from the database (from _our_ database)?
One possible scenario that I can think of is that some attacker managed to save this article with some evil "injection" to his "alias" and so we're fighting with injections stored in our database.

In this case I'm sure we should better care about filtering (escaping...) that injection _before_ it is written to the database, and not _after_ it is read from it?!

Post edited by: yvolk, at: 2009/08/11 21:08


Very good point indeed.

However, as the filtering wasn't done right by joomla earlier, database may have "dangerous" content inside.

The correct method would have been to clean the database on upgrade, but joomla's point releases upgrades are just FTP overwrites without database adjustments, like CB does.

Maybe a point to raise on joomla's dev group ?
Beat
Community Builder Team Member
Before posting on forums: Read FAQ thoroughly
CB links: Subscribe to CB documentation - Our templates - Paid Subscriptions - Get Hosting - Our Forge - Incubator
Visit my CB Profile - Send me a Private Message (PM)
--
help us spend more time coding by helping others in this forum, many thanks
The topic has been locked.

Re:Link articles to CB Profile 1 year, 11 months ago #125302

  • mediaguru
  • mediaguru
  • OFFLINE
  • Platinum Boarder
    Platinum Boarder
  • Posts: 1145
  • Karma: 71
I should have a solution shortly. This solution allows display and control over the CB avatar, pre and post name text, and allows selection of username or name...
CB/Joomla golf site: www.thegolfspace.com
Geek/joomla site: www.tkserver.com

Check out my Joomla/CB projects:

* LIKE thumbs up system for "liking" content items
* Karma - CB user rating system
* Golf Score Tracker
* Jitter - status update system. "What's on your mind?"
* CB Author Plug - Shows CB author link and avatar in content items. J1.5 compatible and very customizable!

Found on my web site or in the Joomlapolis Directory!
The topic has been locked.
  • Page:
  • 1
  • 2
Joomlapolis Forum
Archives
CB
CB 1.2.1
CB 1.2.1 General Discussion
Powered by Kunena
Time to create page: 0.63 seconds