Comments on: Interesting JForum vulnerabilties and the ESAPI WAF http://i8jesus.com/?p=102 because arshan's too cheap to license OneNote Wed, 01 Sep 2010 06:10:02 +0000 hourly 1 http://wordpress.org/?v=3.0.1 By: Giorgio Fedon http://i8jesus.com/?p=102&cpage=1#comment-33062 Giorgio Fedon Tue, 29 Jun 2010 08:12:44 +0000 http://i8jesus.com/?p=102#comment-33062 ahahah, Italian soccer team plays better on my PS3 ! I will have a look on it... ;D ahahah, Italian soccer team plays better on my PS3 !

I will have a look on it… ;D

]]> By: arshan dabirsiaghi http://i8jesus.com/?p=102&cpage=1#comment-32919 arshan dabirsiaghi Fri, 25 Jun 2010 04:53:50 +0000 http://i8jesus.com/?p=102#comment-32919 nice flaw giorgio! why don't you go bang on antisamy for a while =] the new SAX parser needs some attention, and it's not like you have anything to watch in the world cup anymore nice flaw giorgio! why don’t you go bang on antisamy for a while =] the new SAX parser needs some attention, and it’s not like you have anything to watch in the world cup anymore

]]> By: Giorgio Fedon http://i8jesus.com/?p=102&cpage=1#comment-32876 Giorgio Fedon Thu, 24 Jun 2010 09:37:00 +0000 http://i8jesus.com/?p=102#comment-32876 We found a nice stored Cross Site Scripting in BBCode; actually we have included jforum as a sample application in our Java Secure coding classroom. http://www.mindedsecurity.com/MSA130510.html We found a nice stored Cross Site Scripting in BBCode; actually we have included jforum as a sample application in our Java Secure coding classroom.

http://www.mindedsecurity.com/MSA130510.html

]]> By: aaron http://i8jesus.com/?p=102&cpage=1#comment-29434 aaron Sat, 13 Mar 2010 22:41:38 +0000 http://i8jesus.com/?p=102#comment-29434 Rafael, are these fixed in a 2.x release? Rafael, are these fixed in a 2.x release?

]]> By: arshan dabirsiaghi http://i8jesus.com/?p=102&cpage=1#comment-27832 arshan dabirsiaghi Tue, 26 Jan 2010 13:30:20 +0000 http://i8jesus.com/?p=102#comment-27832 hi rafael! i emailed you directly on 10/26/2009. i can re-forward you the email if you'd like. don't feel bad about the vulns - it's easy to poke holes =] keep up the good work! hi rafael! i emailed you directly on 10/26/2009. i can re-forward you the email if you’d like. don’t feel bad about the vulns – it’s easy to poke holes =]

keep up the good work!

]]> By: Rafael Steil http://i8jesus.com/?p=102&cpage=1#comment-27584 Rafael Steil Thu, 14 Jan 2010 22:44:35 +0000 http://i8jesus.com/?p=102#comment-27584 Hello Arshan, quite impressive I'd say. The hash bugs (md5 with timemillis) is so obvious now you have pointed it out that I shame myself for doing such n00b thing. The XSS attack amazed me as well :) You said you contacted us about these bugs, but I can't remember right now, so I think I should have more attention to the forum or the emails, sorry. I'll fix these issues in JForum 3 source code as well (http://github.com/jforum/jforum3) Cheers, Rafael Hello Arshan,

quite impressive I’d say. The hash bugs (md5 with timemillis) is so obvious now you have pointed it out that I shame myself for doing such n00b thing. The XSS attack amazed me as well :)

You said you contacted us about these bugs, but I can’t remember right now, so I think I should have more attention to the forum or the emails, sorry.

I’ll fix these issues in JForum 3 source code as well (http://github.com/jforum/jforum3)

Cheers,
Rafael

]]> By: Scott http://i8jesus.com/?p=102&cpage=1#comment-27582 Scott Thu, 14 Jan 2010 21:53:23 +0000 http://i8jesus.com/?p=102#comment-27582 Thanks for the heads up. My install was vulnerable so I changed the code. There was already a USER_HASH_SEQUENCE in the SystemGlobals so I used it go generate the hash: String hash = MD5.crypt(SystemGlobals.getValue(ConfigKeys.USER_HASH_SEQUENCE) + user.getEmail() + System.currentTimeMillis()); The key, of course, is that the installer should have changed the user.hash.sequence value in WEB-INF/config/jforum-custom.conf I'm working on the rest. Thanks for the heads up. My install was vulnerable so I changed the code. There was already a USER_HASH_SEQUENCE in the SystemGlobals so I used it go generate the hash:

String hash = MD5.crypt(SystemGlobals.getValue(ConfigKeys.USER_HASH_SEQUENCE) + user.getEmail() + System.currentTimeMillis());

The key, of course, is that the installer should have changed the user.hash.sequence value in WEB-INF/config/jforum-custom.conf

I’m working on the rest.

]]> By: arshan dabirsiaghi http://i8jesus.com/?p=102&cpage=1#comment-27301 arshan dabirsiaghi Mon, 04 Jan 2010 17:24:40 +0000 http://i8jesus.com/?p=102#comment-27301 given the track record of the others you mentioned, i don't think you're in any more trouble choosing JForum given the track record of the others you mentioned, i don’t think you’re in any more trouble choosing JForum

]]> By: Brian http://i8jesus.com/?p=102&cpage=1#comment-27122 Brian Mon, 28 Dec 2009 18:30:07 +0000 http://i8jesus.com/?p=102#comment-27122 Would you recommend JForum then considering these vulnerabilities? I've been asked to evaluate forum software that can hopefully integrate (if possible )with our current Java application. I was looking at JForum, phpBB, and vBulletin. Thanks! Would you recommend JForum then considering these vulnerabilities? I’ve been asked to evaluate forum software that can hopefully integrate (if possible )with our current Java application. I was looking at JForum, phpBB, and vBulletin.
Thanks!

]]>