Stephen Posted June 19, 2008 Share Posted June 19, 2008 I found this XSS: http://scott.projecth4x0r.com/beta/message.php?id=\%22%3E%3Cmarquee%3ESTEPHENS%20TESTLOL%3C/marquee%3E Link to comment Share on other sites More sharing options...
Cobalt.Board Posted June 19, 2008 Author Share Posted June 19, 2008 I know why everything isnt working, there is a new beta testing link: http://scott.projecth4x0r.com/beta2 There is where everything is more secure. Link to comment Share on other sites More sharing options...
helraizer Posted June 19, 2008 Share Posted June 19, 2008 http://scott.projecth4x0r.com/beta2/message.php?id=203 Might want to limit the size of signatures. As I said before, your edit signature is annoying. All HTML is stripped, yet it changes BBCode to HTML for the next time you go in to change something, so you have to change the entire thing. Link to comment Share on other sites More sharing options...
Stephen Posted June 19, 2008 Share Posted June 19, 2008 I know why everything isnt working, there is a new beta testing link: http://scott.projecth4x0r.com/beta2 There is where everything is more secure. XSS still there on that beta2 though. http://scott.projecth4x0r.com/beta2/message.php?id=\%22%3E%3Cmarquee%3ESTEPHENS%20TESTLOL%3C/marquee%3E Also: http://scott.projecth4x0r.com/beta2/member.php?username=%22%3E%3Cmarquee%3ESTEPHENS%20TESTLOL%3C/marquee%3E You should make it so if the user doesn't exist, it doesn't show that page. Link to comment Share on other sites More sharing options...
helraizer Posted June 19, 2008 Share Posted June 19, 2008 Based on what Stephen said, people can inject their own javascript, which can be potentially dangerous for your forum. If they were malicious. Minor example Link to comment Share on other sites More sharing options...
Cobalt.Board Posted June 19, 2008 Author Share Posted June 19, 2008 The XSS in posting is still being worked out. We are still working on some of it. Link to comment Share on other sites More sharing options...
helraizer Posted June 19, 2008 Share Posted June 19, 2008 $var = mysql_real_escape_string(htmlspecialchars($_GET['id'])); would suffice. Link to comment Share on other sites More sharing options...
Cobalt.Board Posted June 19, 2008 Author Share Posted June 19, 2008 Where would I put that, eliminated HTML in posts is alreay done. Link to comment Share on other sites More sharing options...
Daniel0 Posted June 19, 2008 Share Posted June 19, 2008 I'd recommend that you escape HTML entities before you output them and not before you insert them into the database. They pose no security risk in the database. The benefit of doing it on each request is that former exploits will be fixed when you deploy a security fix if you do it when outputting it. Had you done it when inserting instead then all existing exploits will still exist and will therefore not be fixed by the new changes. You have far greater control over the content in that way. It also seems that you're parsing bbcodes and such upon insertion into the database. Again, I'd recommend against that. If you parse them when outputting you will instead be able to have greater control over the content - existing content in particular. In that way you can add changes to the bbcode parser and those changes will be immediately reflected on existing and future content. Link to comment Share on other sites More sharing options...
Cobalt.Board Posted June 19, 2008 Author Share Posted June 19, 2008 We perfer to change everything when inputing simply because it is easyer and works just as well. I didnt code the bbcode so dont ask me, the other coder did. Link to comment Share on other sites More sharing options...
helraizer Posted June 19, 2008 Share Posted June 19, 2008 Wherever in your code you have "$_GET['id'];" to show the forum page in message.php. Use what I said earlier. It'll stop the HTML executing. Link to comment Share on other sites More sharing options...
Stephen Posted June 19, 2008 Share Posted June 19, 2008 We perfer to change everything when inputing simply because it is easyer and works just as well. I didnt code the bbcode so dont ask me, the other coder did. But if you're editing the message it would show <img src=""></img> instead of [.img][./img], which would make it harder for the user to edit. If you parse the bbcode when the user is viewing the message then it would make it easier. Link to comment Share on other sites More sharing options...
Cobalt.Board Posted June 19, 2008 Author Share Posted June 19, 2008 Dont ask me, ask the BBcoder, he did it his way, I will re-direct him to this topic so he can work it out. Link to comment Share on other sites More sharing options...
Coreye Posted June 20, 2008 Share Posted June 20, 2008 You can still use HTML when registering. Link to comment Share on other sites More sharing options...
Cobalt.Board Posted June 20, 2008 Author Share Posted June 20, 2008 No, you cant, check the updated link, the old one is the older version of it. Link to comment Share on other sites More sharing options...
Stephen Posted June 20, 2008 Share Posted June 20, 2008 Someone else did this too, but I just put in <script>alert("Test")</script> and it works. All I did was download the source (view source then c+p), edited out the stripTags js and made the max length bigger. Make sure stripping tags isn't done client-side. Link to comment Share on other sites More sharing options...
Coreye Posted June 20, 2008 Share Posted June 20, 2008 No, you cant, check the updated link, the old one is the older version of it. Yes you can. I used http://scott.projecth4x0r.com/beta2/ and you can use HTML when registering. Link to comment Share on other sites More sharing options...
Cobalt.Board Posted June 20, 2008 Author Share Posted June 20, 2008 We will be changing things around, expect a huge security update in a few days. Link to comment Share on other sites More sharing options...
Cobalt.Board Posted June 27, 2008 Author Share Posted June 27, 2008 As promised, here is the update. http://scott.projecth4x0r.com/beta3 All with HTML striping. ALL posts and most members have been cleared. Please feel free to test it. Please note, style editing has been added! Link to comment Share on other sites More sharing options...
imdead Posted June 27, 2008 Share Posted June 27, 2008 http://scott.projecth4x0r.com/beta3/forum.php?name="><marquee><h1>Kevin ]http://scott.projecth4x0r.com/beta3/forum.php?name[] ]http://scott.projecth4x0r.com/beta3/member.php?username[] ]http://scott.projecth4x0r.com/beta3/message.php?id[] http://scott.projecth4x0r.com/beta3/message.php?id=%22%3E Link to comment Share on other sites More sharing options...
Cobalt.Board Posted June 27, 2008 Author Share Posted June 27, 2008 Most of those are not errors, they are just messing with the URL, none of them could harm the forum or are actually in the forum, they are just URL toys. We will be fixing some of those but some will remain. Link to comment Share on other sites More sharing options...
keeB Posted June 27, 2008 Share Posted June 27, 2008 Yeah but it's a vulnerability for XSS. Imagine someone constructs a URL with a malicious script that steals your cookie for your site and emails it to them. Bam, now said person has access. Link to comment Share on other sites More sharing options...
Cobalt.Board Posted June 27, 2008 Author Share Posted June 27, 2008 Well most of it will be romoved, its just a matter of what matters and what doesnt. Link to comment Share on other sites More sharing options...
Recommended Posts