News:

SMF 2.1.4 has been released! Take it for a spin! Read more.

Main Menu

found bug with potential security issue

Started by societyofrobots, April 11, 2010, 09:11:17 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

societyofrobots

April 11, 2010, 09:11:17 AM Last Edit: April 22, 2010, 03:03:09 PM by Norv
Typically spambots sign up accounts, leave a website in the user profile, and never make a post.

Strangely, the spambots have now found a way to hide the website.

For example:
http://www.societyofrobots.com/robotforum/index.php?action=profile;u=7540

You can't see a website, at least until you look at the source code:
Code Select
<td><b>Website: </b></td>
<td><a href="http://www.ro-bot.de" target="_blank"></a></td>

Searching for users with zero posts that have a website brings up this user.

I'm using SMF 1.1.11.

(I'll probably delete the user in a few weeks)

Kays

#1
April 11, 2010, 09:35:28 AM
Hi, I don't think this is a bug. If the website name is omitted no warning will be given and it will display as such.

If that user were to make a post, then the website icon will appear but nothing when you hover over it. The behavour is the same for 2.0. Except that in the profile, the icon is shown now rather than a link.

If at first you don't succeed, use a bigger hammer. If that fails, read the manual.
My Mods

Arantor

#2
April 11, 2010, 09:40:46 AM
Interesting. It's not clickable because there's no text, but it still shows to search engines, etc.

All that's happened is that they've not added any text to the 'website title' area in their profile, but the link is still generated. 2.0 RC3 does the same thing.

To work around it, modify this part of Load.php.

Code Select
while ($row = mysql_fetch_assoc($request))
{
$new_loaded_ids[] = $row['ID_MEMBER'];
$loaded_ids[] = $row['ID_MEMBER'];
$row['options'] = array();
$user_profile[$row['ID_MEMBER']] = $row;
}

Replace it with:
Code Select
while ($row = mysql_fetch_assoc($request))
{
if (isset($row['websiteUrl']) && (empty($row['websiteTitle']) || empty($row['websiteUrl'])))
{
$row['websiteUrl'] = '';
$row['websiteTitle'] = '';
}
$new_loaded_ids[] = $row['ID_MEMBER'];
$loaded_ids[] = $row['ID_MEMBER'];
$row['options'] = array();
$user_profile[$row['ID_MEMBER']] = $row;
}


The equivalent code for 2.0 is:
Code (find) Select
while ($row = $smcFunc['db_fetch_assoc']($request))
{
$new_loaded_ids[] = $row['id_member'];
$loaded_ids[] = $row['id_member'];
$row['options'] = array();
$user_profile[$row['id_member']] = $row;
}

Code (replace) Select
while ($row = $smcFunc['db_fetch_assoc']($request))
{
if (isset($row['website_url']) && (empty($row['website_title']) || empty($row['website_url'])))
{
$row['website_url'] = '';
$row['website_title'] = '';
}
$new_loaded_ids[] = $row['id_member'];
$loaded_ids[] = $row['id_member'];
$row['options'] = array();
$user_profile[$row['id_member']] = $row;
}

It isn't a security vulnerability but it IS an unexpected negative side effect.

societyofrobots

#3
April 13, 2010, 03:06:37 AM
Will this fix be included in future code versions?
(I assume so, but just in case)

Arantor

#4
April 13, 2010, 03:08:59 AM
It may be, it's up to the devs. It isn't a *security* issue so I don't see it being back ported to 1.1.x though.

societyofrobots

#5
April 13, 2010, 03:14:21 AM
Well, I just meant for future versions.

The existence of this bug encourages spambot accounts, but otherwise, yea, not a security issue.

I'll wait and see. Thanks!

Arantor

#6
April 13, 2010, 03:19:49 AM
If it is changed I see it only being changed in 2.0.
Print
Go Up Pages1
User actions
Advertisement: