Shoutbox

bug in attachments names - Printable Version

-Shoutbox (https://shoutbox.menthix.net)
+-- Forum: MsgHelp Archive (/forumdisplay.php?fid=58)
+--- Forum: General (/forumdisplay.php?fid=11)
+---- Forum: Forum & Website (/forumdisplay.php?fid=13)
+----- Thread: bug in attachments names (/showthread.php?tid=25543)
bug in attachments names by Choli on 05-20-2004 at 04:05 PM

there's a bug that let  a user upload an attachment with a dodgy name that can make  that the pages looks weird. As an example, see the name of the attached file, and now think about what would have happened if the name had something like <script> ... :mipdodgy:

RE: bug in attachments names by KeyStorm on 05-20-2004 at 04:12 PM

I finally can add Flashes to my sig :d :banana:

:o dangerous security bug...

RE: bug in attachments names by WDZ on 05-20-2004 at 04:15 PM

Hmm... dodgy. I didn't think Windows would allow such characters in file names... :dodgy:

RE: bug in attachments names by CookieRevised on 05-20-2004 at 04:16 PM

fortunaly, <script> wouldn't be possible to use though... (I think...... I hope..... gonna test this :p)

edit: hmmm... I thought you used mybb code and that the filename gots converted... you actually used < and > ? How did you do that? Cause what WDZ said is true, windows wouldn't allow it...

?

or was it the use of %3C and %3E ?

RE: bug in attachments names by Choli on 05-20-2004 at 04:57 PM

quote:
Originally posted by KeyStorm
I finally can add Flashes to my sig
not in the sig:p only in attachments
quote:
Originally posted by WDZ
I didn't think Windows would allow such characters in file names
windows not, but linux yes. I was testing in my own mybb instalation and I could upload a file with "<script>" in its name. Then the page couldn't be veiwed from that point :O
quote:
Originally posted by CookieRevised
you actually used < and > ?
yes, i did.

just create a file in linux, something like

echo hello > normal\<b\>bold\<font\ size=\'7\'\>size.txt

and upload it ...
quote:
Originally posted by KeyStorm
dangerous security bug...
of course....


Anyway, I see that's fixed now :banana:
RE: bug in attachments names by Mike on 05-20-2004 at 05:41 PM

* Mike wanted to see how it looks... :(

So you mean that it allowed you to use html?

RE: bug in attachments names by Choli on 05-20-2004 at 06:43 PM

quote:
Originally posted by Mike2
* Mike2 wanted to see how it looks...
[Image: file_text.gif] Attachment: normalboldsize.txt (20 bytes)
This file has been downloaded 12 time(s).

quote:
Originally posted by Mike2
So you mean that it allowed you to use html?
yes... :mipdodgy:

see more examples at
http://usuarios.lycos.es/lostintos/choli/foros/showthread.php?tid=6 (I've deleted the one with <script>, btw)
RE: bug in attachments names by CookieRevised on 05-20-2004 at 07:09 PM

I got a nice script one:

<script>windows.status='VERY DANGEROUS THREAD'</script>test.txt

:P

RE: bug in attachments names by Choli on 05-20-2004 at 08:57 PM

quote:
Originally posted by CookieRevised

<script>windows.status='VERY DANGEROUS THREAD'</script>test.txt
I've also thought about that but can't be done, because in Linux (and also in Win) you can't create a file with a / in its name (in linux you can put a \ , however <\script> isn't recogniced by browsers :P)
RE: bug in attachments names by Mike on 05-21-2004 at 07:11 PM

Cool.
I want to put a background music :P

RE: bug in attachments names by saralk on 05-22-2004 at 02:33 PM

wouldnt that need to be in the head tag though?

RE: bug in attachments names by whcodered on 05-23-2004 at 10:17 PM

quote:
Originally posted by saralk
wouldnt that need to be in the head tag though?
I dont think it really matters...