Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Comment preview allows anonymous users/bots to easily render syntax #90

Open
michitux opened this issue Oct 23, 2012 · 0 comments
Open

Comment preview allows anonymous users/bots to easily render syntax #90

michitux opened this issue Oct 23, 2012 · 0 comments
Labels
Bug

Comments

@michitux
Copy link
Member

The comment preview ajax requests allows anonymous users to render arbitrary syntax (plugins could be disabled though) regardless of ACLs or if comments are used at all. No security token is needed.

This could be used for DOS attacks by letting the wiki render larger amounts of text as well as for example automatically constructing hash values for external redirects (see also FS#2648) or for caching external images when $conf['fetchsize'] is non-zero. Of course this is also possible in an open wiki, but as blogtng is primarily used in closed wikis with trusted editors I think this is a security issue.

I suggest to
a) add a security token to the ajax request (and check it)
b) add the page id and check if the current user has at least read permissions and if comment posting is actually enabled
c) if there is a captcha used for the normal comment posting, check it during preview, too
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@michitux