Advertisement:

Author Topic: found bug with potential security issue  (Read 4719 times)

Offline societyofrobots

  • Jr. Member
  • **
  • Posts: 198
found bug with potential security issue
« on: April 11, 2010, 09:11:17 AM »
Typically spambots sign up accounts, leave a website in the user profile, and never make a post.

Strangely, the spambots have now found a way to hide the website.

For example:
http://www.societyofrobots.com/robotforum/index.php?action=profile;u=7540

You can't see a website, at least until you look at the source code:
Code: [Select]
<td><b>Website: </b></td>
<td><a href="http://www.ro-bot.de" target="_blank"></a></td>

Searching for users with zero posts that have a website brings up this user.

I'm using SMF 1.1.11.

(I'll probably delete the user in a few weeks)
« Last Edit: April 22, 2010, 03:03:09 PM by Norv »

Offline Kays

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 8,973
  • Gender: Male
    • Kayssplace
Re: found bug with potential security issue
« Reply #1 on: April 11, 2010, 09:35:28 AM »
Hi, I don't think this is a bug. If the website name is omitted no warning will be given and it will display as such.

If that user were to make a post, then the website icon will appear but nothing when you hover over it. The behavour is the same for 2.0. Except that in the profile, the icon is shown now rather than a link.

If at first you don't succeed, use a bigger hammer. If that fails, read the manual.
My Mods

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 68,065
    • Arantor on GitHub
Re: found bug with potential security issue
« Reply #2 on: April 11, 2010, 09:40:46 AM »
Interesting. It's not clickable because there's no text, but it still shows to search engines, etc.

All that's happened is that they've not added any text to the 'website title' area in their profile, but the link is still generated. 2.0 RC3 does the same thing.

To work around it, modify this part of Load.php.

Code: [Select]
while ($row = mysql_fetch_assoc($request))
{
$new_loaded_ids[] = $row['ID_MEMBER'];
$loaded_ids[] = $row['ID_MEMBER'];
$row['options'] = array();
$user_profile[$row['ID_MEMBER']] = $row;
}

Replace it with:
Code: [Select]
while ($row = mysql_fetch_assoc($request))
{
if (isset($row['websiteUrl']) && (empty($row['websiteTitle']) || empty($row['websiteUrl'])))
{
$row['websiteUrl'] = '';
$row['websiteTitle'] = '';
}
$new_loaded_ids[] = $row['ID_MEMBER'];
$loaded_ids[] = $row['ID_MEMBER'];
$row['options'] = array();
$user_profile[$row['ID_MEMBER']] = $row;
}


The equivalent code for 2.0 is:
Code: (find) [Select]
while ($row = $smcFunc['db_fetch_assoc']($request))
{
$new_loaded_ids[] = $row['id_member'];
$loaded_ids[] = $row['id_member'];
$row['options'] = array();
$user_profile[$row['id_member']] = $row;
}

Code: (replace) [Select]
while ($row = $smcFunc['db_fetch_assoc']($request))
{
if (isset($row['website_url']) && (empty($row['website_title']) || empty($row['website_url'])))
{
$row['website_url'] = '';
$row['website_title'] = '';
}
$new_loaded_ids[] = $row['id_member'];
$loaded_ids[] = $row['id_member'];
$row['options'] = array();
$user_profile[$row['id_member']] = $row;
}

It isn't a security vulnerability but it IS an unexpected negative side effect.
To assume is to hope that those who came before had the presence of mind and capacity to implement the dreams of those who would come after.

You either die a hero or live long enough to see yourself become the villain. It seems you have chosen which, and now I must do the same.

Offline societyofrobots

  • Jr. Member
  • **
  • Posts: 198
Re: found bug with potential security issue
« Reply #3 on: April 13, 2010, 03:06:37 AM »
Will this fix be included in future code versions?
(I assume so, but just in case)

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 68,065
    • Arantor on GitHub
Re: found bug with potential security issue
« Reply #4 on: April 13, 2010, 03:08:59 AM »
It may be, it's up to the devs. It isn't a *security* issue so I don't see it being back ported to 1.1.x though.
To assume is to hope that those who came before had the presence of mind and capacity to implement the dreams of those who would come after.

You either die a hero or live long enough to see yourself become the villain. It seems you have chosen which, and now I must do the same.

Offline societyofrobots

  • Jr. Member
  • **
  • Posts: 198
Re: found bug with potential security issue
« Reply #5 on: April 13, 2010, 03:14:21 AM »
Well, I just meant for future versions.

The existence of this bug encourages spambot accounts, but otherwise, yea, not a security issue.

I'll wait and see. Thanks!

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 68,065
    • Arantor on GitHub
Re: found bug with potential security issue
« Reply #6 on: April 13, 2010, 03:19:49 AM »
If it is changed I see it only being changed in 2.0.
To assume is to hope that those who came before had the presence of mind and capacity to implement the dreams of those who would come after.

You either die a hero or live long enough to see yourself become the villain. It seems you have chosen which, and now I must do the same.