Announcement

Collapse
No announcement yet.

Half-bug, half-design, all XSS

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Half-bug, half-design, all XSS

    Let's say you make a custom vB code like the following:

    tag: mycode
    replacement: <input type="text" value="{param}" />
    example: [mycode]this is an input box with initial text[/mycode]

    Looks harmless enough. However, think what would happen if you did this:

    [mycode]" onMouseOver="alert('boo')[/mycode]

    It would be parsed to:
    <input type="text" value="" onMouseOver="alert('boo')" />

    Unfortunately I can't really think of a way to secure against this. Possibly an option would be to htmlspecialchars[_uni]() {param} per custom tag, or urlencode().

    So it's not fully a bug, but it's not all a design issue, but it can be used completely and easily for XSS exploitation. I've already shut down all of my custom codes that I made at my site and am working on a cheap hack to fix some of them.

    Comments?
    --filburt1, vBulletin.org/vBulletinTemplates.com moderator
    Web Design Forums.net: vB Board of the Month
    vBulletin Mail System (vBMS): webmail for your forum users

  • #2
    Yes.
    --filburt1, vBulletin.org/vBulletinTemplates.com moderator
    Web Design Forums.net: vB Board of the Month
    vBulletin Mail System (vBMS): webmail for your forum users

    Comment


    • #3
      I guess if you're allowing your users to create input boxes in their posts, there's really not much we can do about it...I cannot think of one reason why you would allow this.

      Comment


      • #4
        I have some tags that create forms within the posts, including ones to search the forums, Google, W3Schools, etc. The default value of the input box is specified by {param}.

        http://www.webdesignforums.net/thread5595.html
        --filburt1, vBulletin.org/vBulletinTemplates.com moderator
        Web Design Forums.net: vB Board of the Month
        vBulletin Mail System (vBMS): webmail for your forum users

        Comment


        • #5
          what vBulletin version are you running?

          we fixed something like this with the doubleregex in 2.3.1
          Scott MacVicar

          My Blog | Twitter

          Comment

          widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
          Working...
          X