Tapcis Web Forums

Tapcis Web Forums (http://www.tapcis.com/forums/index.php)
-   Forum Use and Help (http://www.tapcis.com/forums/forumdisplay.php?f=2)
-   -   dummy hack test (http://www.tapcis.com/forums/showthread.php?t=7828)

davidh September 19th, 2009 10:32 AM
dummy hack test
 
<script src="http://_.com/_.js"></script>

If you do not see the above line of text , then there is a problem.

If the forum software had not converted the line containing the HTML tags, etc. into this:

&lt;script src=&quot;http://_.com/_.js&quot;&gt;&lt;/script&gt;

then it would have been possible to attempt to run a js script from anywhere on the web in your browser.

"dummy" means 1. it's not a real test and/or 2. the poster

sidney September 19th, 2009 04:23 PM
Quote:
Originally Posted by davidh (Post 58786)
<script src="http://_.com/_.js"></script>

If you do not see the above line of text , then there is a problem.
VBulletin has been around for a while and such security holes would have been closed a long time ago.

This site uses the option to disable all HTML in messages, using bbcode tags only. That's the simplest and safest option.

However, it does turn a URL string into HTML. Notice what it did in your message. If the proper security is in place it would not turn it into a URL that will execute Javascript. Hmm, I should check that but I have to run out the door in two minutes.

davidh September 19th, 2009 05:36 PM
Quote:
Originally Posted by sidney (Post 58791)
VBulletin has been around for a while and such security holes would have been closed a long time ago.

This site uses the option to disable all HTML in messages, using bbcode tags only. That's the simplest and safest option.

However, it does turn a URL string into HTML. Notice what it did in your message. If the proper security is in place it would not turn it into a URL that will execute Javascript. Hmm, I should check that but I have to run out the door in two minutes.
I tried using the "Insert link" icon on the tool bar to paste the line of text in question, namely
<script src="http://_.com/_.js"></script>
as the contents of the URL and a click on "Preview Post" showed that the forum software had inserted zero, zilch, nada, thus blocking this kind of attack via the "Insert link" function.

As you say, I would have expected that such potential vulnerabilities have been closed long ago. I did not really expect to be able to show up any vulnerability in the first place. The main point of my OP was to show how little text is required to create an attack that could work without any clicking on any link by the user at all, if some vulnerabilities on both sides (server and browser) are unpatched.

sidney September 19th, 2009 06:12 PM
Quote:
Originally Posted by davidh (Post 58792)
The main point of my OP was to show how little text is required to create an attack that could work without any clicking on any link by the user at all, if some vulnerabilities on both sides (server and browser) are unpatched.
Yes, and it can be quite a challenge to allow users to enter some HTML without allowing any malicious HTML. Since HTML is disabled in posts here the job is quite a bit easier. The remaining tricky part is in the code that parses URL strings such as http://example.com to make sure that it can't be fooled by something like http://example.com"><href='javascript:alert("foo")'> (which I expect will show up with only the http://example.com part of it being a hot link -- ok, this is my test - [UPDATE:] I see that the code is even more clever -- It saw something is wrong and disables hot linking the entire attempt at a hack)

davidh September 19th, 2009 09:16 PM
Quote:
Originally Posted by sidney (Post 58793)
it can be quite a challenge to allow users to enter some HTML without allowing any malicious HTML.
Sounds like about the same level of difficulty as having a girls plus boys slumber party with non-segregated bedrooms and NO hanky panky :rolleyes:


All times are GMT -5. The time now is 11:17 PM.

Powered by vBulletin® Version 3.7.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.