VWE-2017-3734
Return to current revision
Differences in Content
-
[template]Vulnerability
| cve=
| aka= -
+| issueid=5040
-
| severity=Low
| difficulty=Easy
| description=Phishing. Using some BB-Code options, users can place content outside posts and other messages. For example, a user can place an invisible link over legitimate site navigation links and direct users to another web site that looks like a legitimate login page. Does not affect Lite versions.
| discover-date=May 2, 2017
| patch-date=May 16, 2017
| patches=4.0.17 Patch Level 2
4.0.16 Patch Level 3
4.0.15 Patch Level 7
4.0.14 Patch Level 10
4.0.13 Patch Level 10
4.0.12 Patch Level 11
4.0.11 Patch Level 11
| workaround=[/template]
[H=3]Notes[/h]
The patch hides content that flows outside permitted content boxes and makes it more difficult for users to achieve this effect using BB-Code alone. However, users are still permitted to post content in non-standard places, such as header integrations, sidebar blocks, etc.
Phishing attacks are always possible as long as users can post links on your web site, although they may be less effective when the links appear within the visual bounds of a user's post. Phishing vulnerabilities are considered mitigated if it is clear that a user posted the link or the link otherwise appears in the content-area of the page. In many cases, the only real defense against such attacks is vigilance by the victim -- making sure that the address bar still represents the expected site.