Just for the record: Is that vulnerability have been fixed in 4.0.4?

we do not know even that's a real vulnerability or spam or whatever.

A vulnerability was discovered in b2evolution 4.0.3. For details please email me. As per our policy we will disclose this vulnerability in a public advisory 14 days after this notification.

Sounds like blackmail...

"Meet me at the DVD kiosk on 11th Ave or we WILL leak the compromising pictures to the press."

:lol:

gstlt wrote:

Just for the record: Is that vulnerability have been fixed in 4.0.4?

Given the subtlety of the bug my guess would be no, but I cannot be sure without testing.

BushLeagueCritic wrote:

A vulnerability was discovered in b2evolution 4.0.3. For details please email me. As per our policy we will disclose this vulnerability in a public advisory 14 days after this notification.

Sounds like blackmail...

"Meet me at the DVD kiosk on 11th Ave or we WILL leak the compromising pictures to the press."

:lol:

There is no "or" in my post; vulnerabilities are disclosed after the allotted time period regardless of circumstances.

Again, I will disclose details over a more private medium.

Convince me you're NOT trying to sell an AutoSec Tools "Seal of Approval."

John Leitch wrote:

Again, I will disclose details over a more private medium.

Feel free to email me details yabs@mydomains.tld ( mydomain happens to be innervisions.org.uk ;) )

I'll forward your email to francois if appropriate

¥

We've decided to move forward and release the advisory. For details visit the page below.

http://www.autosectools.com/Advisories/b2evolution.4.0.3_Persistent.Cross-site.Scripting_152.html

Ah yeah, I wouldn't have minded the 14 days to fix it cleanly...

Working on a quick & dirty fix...

This issue is very real (in case anyone has a doubt). Autosec qualifies the threat level as:
Threat Level............Moderate (2/5)

Here is a quick fix you can apply right away if you are concerned:

In the file /blogs/inc/_core/_param.funcs.php go to line 2004 and replace the first few line of function balance_tags() like this:

function balance_tags( $text )
{
	$tagstack = array();
	$stacksize = 0;
	$tagqueue = '';
	$newtext = '';

	# b2 bug fix for comments - in case you REALLY meant to type '< !--'
	$text = str_replace('< !--', '<    !--', $text);

	# b2 bug fix for LOVE <3 (and other situations with '<' before a number) as well as <?
	$text = preg_replace('#<([0-9?]{1})#', '&lt;$1', $text);

	while( preg_match('~<(\s*/?\w+)\s*(.*?)/?>~s', $text, $regex) )
	{

This quick fix is designed to detect thz <? combination the same way it was already detecting <?

This solves the given exploit demo. I am not sure it fixes everything that would be similar. Still working on this.

The following is a more generic fix:

function balance_tags( $text )
{
	$tagstack = array();
	$stacksize = 0;
	$tagqueue = '';
	$newtext = '';

	# b2 bug fix for comments - in case you REALLY meant to type '< !--'
	$text = str_replace('< !--', '<    !--', $text);

	// escape any < that does not look like a tag, i-e: that is not followed by a letter like in <a> or a / like in </a>:
	// (also not escaping comments like <!-- )
	$text = preg_replace('#<([^a-z/!]{1})#i', '&lt;$1', $text);

	while( preg_match('~<(\s*/?\w+)\s*(.*?)/?>~s', $text, $regex) )
	{

If you have an opinion on which is better, please let me know.

CVS updated.

I think that use of html_entites would be simpler than preg_replace. Wouldn't it?

EDIT: b2evolution 4.0.4 is also vulnerable

gstlt wrote:

I think that use of html_entites would be simpler than preg_replace. Wouldn't it?

htmlentities() escapes all tags, but that's not we want to do.

Is this threat issue fixed in 4.0.5, i assume

For your information: Yes, this vulnerability has been fixed in b2evolution 4.0.5. We recommend you to upgrade immediately.