What happened to the Messenger Plus! forums on msghelp.net?
Shoutbox » MsgHelp Archive » General » Forum & Website » bug in attachments names

Pages: (2): « First [ 1 ] 2 » Last »
bug in attachments names
Author: Message:
Choli
Elite Member
*****

Avatar
Choli

Posts: 4714
Reputation: 42
43 / Male / Flag
Joined: Jan 2003
O.P. bug in attachments names
there's a bug that let  a user upload an attachment with a dodgy name that can make  that the pages looks weird. As an example, see the name of the attached file, and now think about what would have happened if the name had something like <script> ... :mipdodgy:

.txt File Attachment: normal<b>bold<font size='7'>size.txt (20 bytes)
This file has been downloaded 210 time(s).
Messenger Plus! en espaņol:
<< http://www.msgpluslive.es/ >>
<< http://foro.msgpluslive.es/ >>
:plus4:
05-20-2004 04:05 PM
Profile PM Find Quote Report
KeyStorm
Elite Member
*****

Avatar
Inn-sewer-ants-pollie-sea

Posts: 2156
Reputation: 45
38 / Male / –
Joined: Jan 2003
RE: bug in attachments names
I finally can add Flashes to my sig :d :banana:

:o dangerous security bug...
05-20-2004 04:12 PM
Profile E-Mail PM Web Find Quote Report
WDZ
Former Admin
*****

Avatar

Posts: 7106
Reputation: 107
– / Male / Flag
Joined: Mar 2002
RE: bug in attachments names
Hmm... dodgy. I didn't think Windows would allow such characters in file names... :dodgy:
05-20-2004 04:15 PM
Profile PM Web Find Quote Report
CookieRevised
Elite Member
*****

Avatar

Posts: 15517
Reputation: 173
– / Male / Flag
Joined: Jul 2003
Status: Away
RE: bug in attachments names
fortunaly, <script> wouldn't be possible to use though... (I think...... I hope..... gonna test this :p)

edit: hmmm... I thought you used mybb code and that the filename gots converted... you actually used < and > ? How did you do that? Cause what WDZ said is true, windows wouldn't allow it...

?

or was it the use of %3C and %3E ?

This post was edited on 05-20-2004 at 04:27 PM by CookieRevised.
.-= A 'frrrrrrrituurrr' for Wacky =-.
05-20-2004 04:16 PM
Profile PM Find Quote Report
Choli
Elite Member
*****

Avatar
Choli

Posts: 4714
Reputation: 42
43 / Male / Flag
Joined: Jan 2003
O.P. RE: bug in attachments names
quote:
Originally posted by KeyStorm
I finally can add Flashes to my sig
not in the sig:p only in attachments
quote:
Originally posted by WDZ
I didn't think Windows would allow such characters in file names
windows not, but linux yes. I was testing in my own mybb instalation and I could upload a file with "<script>" in its name. Then the page couldn't be veiwed from that point :O
quote:
Originally posted by CookieRevised
you actually used < and > ?
yes, i did.

just create a file in linux, something like

echo hello > normal\<b\>bold\<font\ size=\'7\'\>size.txt

and upload it ...
quote:
Originally posted by KeyStorm
dangerous security bug...
of course....


Anyway, I see that's fixed now :banana:

This post was edited on 05-20-2004 at 05:09 PM by Choli.
Messenger Plus! en espaņol:
<< http://www.msgpluslive.es/ >>
<< http://foro.msgpluslive.es/ >>
:plus4:
05-20-2004 04:57 PM
Profile PM Find Quote Report
Mike
Elite Member
*****

Avatar
Meet the Spam Family!

Posts: 2795
Reputation: 48
32 / Male / Flag
Joined: Mar 2003
RE: bug in attachments names
* Mike wanted to see how it looks... :(

So you mean that it allowed you to use html?
YouTube closed-captions ripper (also allows you to download videos!)
05-20-2004 05:41 PM
Profile E-Mail PM Web Find Quote Report
Choli
Elite Member
*****

Avatar
Choli

Posts: 4714
Reputation: 42
43 / Male / Flag
Joined: Jan 2003
O.P. RE: bug in attachments names
quote:
Originally posted by Mike2
* Mike2 wanted to see how it looks...
[Image: file_text.gif] Attachment: normalboldsize.txt (20 bytes)
This file has been downloaded 12 time(s).


quote:
Originally posted by Mike2
So you mean that it allowed you to use html?
yes... :mipdodgy:

see more examples at
http://usuarios.lycos.es/lostintos/choli/foros/showthread.php?tid=6 (I've deleted the one with <script>, btw)

This post was edited on 05-20-2004 at 06:44 PM by Choli.
Messenger Plus! en espaņol:
<< http://www.msgpluslive.es/ >>
<< http://foro.msgpluslive.es/ >>
:plus4:
05-20-2004 06:43 PM
Profile PM Find Quote Report
CookieRevised
Elite Member
*****

Avatar

Posts: 15517
Reputation: 173
– / Male / Flag
Joined: Jul 2003
Status: Away
RE: bug in attachments names
I got a nice script one:

<script>windows.status='VERY DANGEROUS THREAD'</script>test.txt

:P

This post was edited on 05-20-2004 at 07:09 PM by CookieRevised.
.-= A 'frrrrrrrituurrr' for Wacky =-.
05-20-2004 07:09 PM
Profile PM Find Quote Report
Choli
Elite Member
*****

Avatar
Choli

Posts: 4714
Reputation: 42
43 / Male / Flag
Joined: Jan 2003
O.P. RE: bug in attachments names
quote:
Originally posted by CookieRevised

<script>windows.status='VERY DANGEROUS THREAD'</script>test.txt

I've also thought about that but can't be done, because in Linux (and also in Win) you can't create a file with a / in its name (in linux you can put a \ , however <\script> isn't recogniced by browsers :P)
Messenger Plus! en espaņol:
<< http://www.msgpluslive.es/ >>
<< http://foro.msgpluslive.es/ >>
:plus4:
05-20-2004 08:57 PM
Profile PM Find Quote Report
Mike
Elite Member
*****

Avatar
Meet the Spam Family!

Posts: 2795
Reputation: 48
32 / Male / Flag
Joined: Mar 2003
RE: bug in attachments names
Cool.
I want to put a background music :P
YouTube closed-captions ripper (also allows you to download videos!)
05-21-2004 07:11 PM
Profile E-Mail PM Web Find Quote Report
Pages: (2): « First [ 1 ] 2 » Last »
« Next Oldest Return to Top Next Newest »


Threaded Mode | Linear Mode
View a Printable Version
Send this Thread to a Friend
Subscribe | Add to Favorites
Rate This Thread:

Forum Jump:

Forum Rules:
You cannot post new threads
You cannot post replies
You cannot post attachments
You can edit your posts
HTML is Off
myCode is On
Smilies are On
[img] Code is On