Streamed-in likes on profile page don't get topic titles html-encoded<script>alert("your a butt")</script>
-
Repro:
- Make a post in the Status thread, with the title as it is now (
#<kbd class="fa-spin"><abbr title="Status">Status</abbr></kbd>
) - Open your profile page on "Likes received"
- Get a like
- Marvel as the sanitization on the just-streamed like doesn't work:
- Make a post in the Status thread, with the title as it is now (
-
4. Marvel as the sanitization on the just-streamed like doesn't work:
urge to edit an XSS exploit into this threads title before issuing like.... rising.....<div
-
The funny thing about XSS exploits on Discourse is, I thought all those modern web frameworks were supposed to make them virtually inexistent by automatically sanitizing all "unclean" strings before showing them?
-
A good template systems sanitize inserted variables by default. But that doesn't mean you can skip checking inputs. It also won't work if you build HTML/JSON strings manually or fetch them from the database, which you'll sometimes have to do. Also, you have to know what exactly the system escapes (escaping for safe use in HTML context != escaping for safe use in a JS context).
Basically: The best a framework can do is offer sane defaults. You still have to think about sanitizing inputs and check which variables are affected by user inputs.
-
It also won't work if you build HTML/JSON strings manually or fetch them from the database, which you'll sometimes have to do.
AKA: A reflected XSS attack.
I thought all those modern web frameworks were supposed to make them virtually inexistent by automatically sanitizing all "unclean" strings before showing them?
i am fan of ur work plz to be posting url to site u make thx
-
Has anyone reported this, btw? I feel like we should probably do that, even if the meta.ders banned us all...
-
Has anyone reported this, btw? I feel like we should probably do that, even if the meta.ders banned us all...
I did:
Oh, you meant report it to COCK? Nah, fuck those guys. Especially not after the last time I even begun to report one, @riking got sandy-cunty with me. Fuck them. They can find their own mission critical bugs. Preferably in Production, on a site that pays them a lot of money.
-
@Lorne_Kates said:
@riking got sandy-cunty with me.
Well, I mean, he did try to repro unsuccessfully...
-
Now that I think of it ...
Didn't the e-mail address reading bug work similarly?
-
Did it? I thought it was just them sending unnecessary (and, in this case, dangerous) information on the user page
-
Well, I mean, he did try to repro unsuccessfully...
CODPIECE does a lot of things unsuccessfully. He then immediately went into "attack the messenger" mode and used language like "bad faith" . Nope. Fuck that.
-
@Lorne_Kates said:
CODPIECE does a lot of things unsuccessfully. He then immediately went into "attack the messenger" mode and used language like "bad faith" . Nope. Fuck that.
One could argue you went into attack mode first by saying "You're doing it wrong". He probably thought you were just trying to troll. You could've pointed him to this thread, with actual repo instructions, rather than just responding sarcastically....
-
can someone like this post for me? thanks.
-
Didn't the e-mail address reading bug work similarly?
Yes.
Did it? I thought it was just them sending unnecessary (and, in this case, dangerous) information on the user page
Yeah, but you had to be on your profile page when new information streamed in. The initial load of the page didn't include the leak.
-
The funny thing about XSS exploits on Discourse is...
...that literally every single codepath that can have an XSS does have an XSS, because the devs exist in state of perpetual surprise and also never use one function when 10 will do and wilfully reinvent wheels inside wheels and...
-
-
One could argue you went into attack mode first by saying "You're doing it wrong". He probably thought you were just trying to troll. You could've pointed him to this thread, with actual repo instructions, rather than just responding sarcastically....
I could have, but since he's a member of this forum, he should already be aware of bug reports from the QA team.
And if I posted repro, I'd be acting "in bad faith".
-
This post is deleted!
-
That
<script>
element won't work though - the script doesn't get executed unless it's been there on page load.
-
Oops...let's try this again.
-
Ah. I see it not getting escaped though.
-
If I were a bit more evil I'd suggest reporting the XSS vulnerabilities... to the big paying customers. Along with some proof of concept, for example using it to get into one of their admin accounts and replacing their header image with a penis. That would be the only way to get DiscoDevs to actually employ a QA team.
-
That would be
the onlya sure-fire way to getDiscoDevs to actually employ a QA teamsued into oblivion for hacking.FTFY
-
-
You have to actually be looking at your profile page when the notification arrives to get this? Wow...
-
Yeah it's a far-fetched XSS but a valid one nonetheless
-
Say what you will about Dwarf Fortress, but at least it's never had a bug with injection.
-
Nononono, don't go posting this on one of their major clients, like... well, let's keep it redacted and call them Sisko.
Instead, what you need to do is produce a video. Call it Sisko Is The Best. Make it very nice, full of corporate-buzzword friendly praise like Top Class, Forward Thinking, Market Leaders, Best of Breed, etc.
Throw in some charts from cherry-picked portions of Sisko's stock performances.
Then post it to GooTube as
Sisko Is The Best " onload="window.location=('http://siskosux.com/DiscourseAlsoSucks.html')"
Then just start circulating the link. Make on twitter to @Sisko. Mention it to some people who gladhand Sisko CEOs. Some marketing droid will finally decide that this is an Employees Must See Inspirational Happy Time video, and will post it, to a category that all employees are forced to Watch. All the same Market-Level Droids will also it because gaming social media is being a Good Corporate Citizen.
THAT'S how you disclose a bug.
-
-
Contains many hos, but no injection attacks. 1/5
inb4 injection
inb4 The Sisko Kid
inb4 "I prefer Picard"