Simple Machines Community Forum

SMF Development => Bug Reports => Fixed or Bogus Bugs => Topic started by: societyofrobots on April 11, 2010, 09:11:17 AM

Title: found bug with potential security issue
Post by: societyofrobots on April 11, 2010, 09:11:17 AM
Typically spambots sign up accounts, leave a website in the user profile, and never make a post.

Strangely, the spambots have now found a way to hide the website.

For example:
http://www.societyofrobots.com/robotforum/index.php?action=profile;u=7540

You can't see a website, at least until you look at the source code:
<td><b>Website: </b></td>
<td><a href="http://www.ro-bot.de" target="_blank"></a></td>


Searching for users with zero posts that have a website brings up this user.

I'm using SMF 1.1.11.

(I'll probably delete the user in a few weeks)
Title: Re: found bug with potential security issue
Post by: Kays on April 11, 2010, 09:35:28 AM
Hi, I don't think this is a bug. If the website name is omitted no warning will be given and it will display as such.

If that user were to make a post, then the website icon will appear but nothing when you hover over it. The behavour is the same for 2.0. Except that in the profile, the icon is shown now rather than a link.
Title: Re: found bug with potential security issue
Post by: Arantor on April 11, 2010, 09:40:46 AM
Interesting. It's not clickable because there's no text, but it still shows to search engines, etc.

All that's happened is that they've not added any text to the 'website title' area in their profile, but the link is still generated. 2.0 RC3 does the same thing.

To work around it, modify this part of Load.php.

while ($row = mysql_fetch_assoc($request))
{
$new_loaded_ids[] = $row['ID_MEMBER'];
$loaded_ids[] = $row['ID_MEMBER'];
$row['options'] = array();
$user_profile[$row['ID_MEMBER']] = $row;
}


Replace it with:
while ($row = mysql_fetch_assoc($request))
{
if (isset($row['websiteUrl']) && (empty($row['websiteTitle']) || empty($row['websiteUrl'])))
{
$row['websiteUrl'] = '';
$row['websiteTitle'] = '';
}
$new_loaded_ids[] = $row['ID_MEMBER'];
$loaded_ids[] = $row['ID_MEMBER'];
$row['options'] = array();
$user_profile[$row['ID_MEMBER']] = $row;
}



The equivalent code for 2.0 is:
Code (find) Select
while ($row = $smcFunc['db_fetch_assoc']($request))
{
$new_loaded_ids[] = $row['id_member'];
$loaded_ids[] = $row['id_member'];
$row['options'] = array();
$user_profile[$row['id_member']] = $row;
}


Code (replace) Select
while ($row = $smcFunc['db_fetch_assoc']($request))
{
if (isset($row['website_url']) && (empty($row['website_title']) || empty($row['website_url'])))
{
$row['website_url'] = '';
$row['website_title'] = '';
}
$new_loaded_ids[] = $row['id_member'];
$loaded_ids[] = $row['id_member'];
$row['options'] = array();
$user_profile[$row['id_member']] = $row;
}


It isn't a security vulnerability but it IS an unexpected negative side effect.
Title: Re: found bug with potential security issue
Post by: societyofrobots on April 13, 2010, 03:06:37 AM
Will this fix be included in future code versions?
(I assume so, but just in case)
Title: Re: found bug with potential security issue
Post by: Arantor on April 13, 2010, 03:08:59 AM
It may be, it's up to the devs. It isn't a *security* issue so I don't see it being back ported to 1.1.x though.
Title: Re: found bug with potential security issue
Post by: societyofrobots on April 13, 2010, 03:14:21 AM
Well, I just meant for future versions.

The existence of this bug encourages spambot accounts, but otherwise, yea, not a security issue.

I'll wait and see. Thanks!
Title: Re: found bug with potential security issue
Post by: Arantor on April 13, 2010, 03:19:49 AM
If it is changed I see it only being changed in 2.0.