This forum is suseptible to XSS attacks!



  • Are the owners of this site aware of this?


    proof of concept



  • I am now. Argh ... I'm really regretting going with this forums software. It's too immature of a product.

    Do you know how to fix this? Or how you found this out?



  • I found this after looking at the HTML of a post with META and STYLE tags on monday' WTF thread. I did wonder why the code processing the post didn't strip out this tags. So I do a little test and found that SCRIPT tags are striped out from the HTML but tag attributes not, so you can easily add an onLoad event that fires the javascript you want.

    How can you solve this… the common approaches to the problem are:

    • Completely disallow the HTML code by escaping the user input.
    • Allow only specific tags. Preferabily by making use of special code (like UBB code) to represent those specific HTML tags. 
    •  Filter out the javacript (or other active scripting) from the HTML code.

    Of course in order to do that you will need the source code (ok not completely necessarily but practically true).
    Anyway, it's not easy to completely protect from XSS attacks in sites where there is active content (especially if the content can be uploaded by the users) but the little protection this forum software seems to have (striping out SCRIPT tags) seems almost like a joke.



  • <FONT style="BACKGROUND-COLOR: #efefef">Thanks. I would expect that FreeTextBox (this rich text control) would handle all that. Aparantly not. If this Forums Software wasn't so complex (ASPX > MasterPageTemplate > UserControl > ServerControl > Class > Stored Proc), I would switch it out.</FONT>

    <FONT style="BACKGROUND-COLOR: #efefef">I already had to hack around FTB -- the lousy control completely would ignore PRE tags, and stripped all spacing!!! I'll just add the script checking there ... what a PITA.</FONT>



  • Is this problem fixed now?



  • @Nagesh said:

    Is this problem fixed now?

    Sure, why not?



  • @apapadimoulis said:

    I am now. Argh ... I'm really regretting going with this forums software. It's too immature of a product.

    :laughing:


  • :belt_onion:

    The more things change...


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.