FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » FUDforum Development » FUDforum 3.0+ » XSS
Show: Today's Messages :: Polls :: Message Navigator
Switch to threaded view of this topic Create a new topic Submit Reply
XSS [message #24494] Fri, 29 April 2005 05:04 Go to next message
Cr00t is currently offline  Cr00t   Russian Federation
Messages: 16
Registered: February 2003
Location: Russia
Karma: 0
Junior Member
I use version 2.6.9.

Where is XSS trouble... Please fix it!

use smth like this: [url=javascript:alert('ggggg, xss?');]


::: don't gimme namez :::
Re: XSS [message #24496 is a reply to message #24494] Fri, 29 April 2005 12:18 Go to previous messageGo to next message
Ilia is currently offline  Ilia   Canada
Messages: 13241
Registered: January 2002
Karma: 0
Senior Member
Administrator
Core Developer
ha? There is no XSS, the forum specifically checks for javascript in URL and img tags and preventsm it's usage, this has been there almost since version 1.0.

FUDforum Core Developer
Re: XSS [message #24503 is a reply to message #24496] Fri, 29 April 2005 15:30 Go to previous messageGo to next message
Cr00t is currently offline  Cr00t   Russian Federation
Messages: 16
Registered: February 2003
Location: Russia
Karma: 0
Junior Member
Ok. Thx for answer

::: don't gimme namez :::
Re: XSS [message #24506 is a reply to message #24496] Fri, 29 April 2005 19:26 Go to previous messageGo to next message
Cr00t is currently offline  Cr00t   Russian Federation
Messages: 16
Registered: February 2003
Location: Russia
Karma: 0
Junior Member
Ilia писал(а) Птн, 29 Апреля 2005 16:18

ha? There is no XSS, the forum specifically checks for javascript in URL and img tags and preventsm it's usage, this has been there almost since version 1.0.


Yeap, there is a filter, like this:

if (strpos(strtolower($parms), 'javascript:') === false) { 


but i can bypass it using special symbols, most of them in 16

if i type "javascrip&_#116;" (without "_" symbol) this filter works, but browser look at the code and execute "javascrip&_#116;" (without "_" symbol)!


::: don't gimme namez :::
Re: XSS [message #24507 is a reply to message #24506] Fri, 29 April 2005 19:38 Go to previous messageGo to next message
Ilia is currently offline  Ilia   Canada
Messages: 13241
Registered: January 2002
Karma: 0
Senior Member
Administrator
Core Developer
Nope still does not work. The URL appears like this:
<a href="javascript&amp;_#116;alert('ggggg, xss?');" target="_blank">TEST</a>

That's not going to work either.


FUDforum Core Developer
Re: XSS [message #24514 is a reply to message #24507] Sat, 30 April 2005 15:01 Go to previous messageGo to next message
Ilia is currently offline  Ilia   Canada
Messages: 13241
Registered: January 2002
Karma: 0
Senior Member
Administrator
Core Developer
As you can see it does not work, it does make a link but it's not valid and certainly will not result in JavaScript being executed.

FUDforum Core Developer
Re: XSS [message #24519 is a reply to message #24514] Sat, 30 April 2005 19:38 Go to previous messageGo to next message
Cr00t is currently offline  Cr00t   Russian Federation
Messages: 16
Registered: February 2003
Location: Russia
Karma: 0
Junior Member
Почему у вас на форуме данный линк не работает, а у меня работает?

[url=javascript:alert('ЫЫЫЫЫЫЫЫ, 123');]Нехороший линк[/url]





::: don't gimme namez :::
Re: XSS [message #24520 is a reply to message #24519] Sat, 30 April 2005 19:52 Go to previous messageGo to next message
Ilia is currently offline  Ilia   Canada
Messages: 13241
Registered: January 2002
Karma: 0
Senior Member
Administrator
Core Developer
Perhaps you made some modifications to the forum that altered the post processing behaviour.

FUDforum Core Developer
Re: XSS [message #24521 is a reply to message #24520] Sun, 01 May 2005 04:55 Go to previous messageGo to next message
Cr00t is currently offline  Cr00t   Russian Federation
Messages: 16
Registered: February 2003
Location: Russia
Karma: 0
Junior Member
Ilia писал(а) Сбт, 30 Апреля 2005 23:52

Perhaps you made some modifications to the forum that altered the post processing behaviour.


what modifications? i have original forum, no hacks. Right now forum version is 2.6.12


::: don't gimme namez :::
Re: XSS [message #37745 is a reply to message #24494] Wed, 20 June 2007 14:12 Go to previous message
htimsl is currently offline  htimsl   United States
Messages: 1
Registered: June 2007
Karma: 0
Junior Member
looks good to me!
  • Attachment: milton1.jpg
    (Size: 25.95KB, Downloaded 1099 times)

[Updated on: Wed, 20 June 2007 14:12]

Report message to a moderator

  Switch to threaded view of this topic Create a new topic Submit Reply
Previous Topic: Spell Check Button Help
Next Topic: Test Forums
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Sun Nov 24 05:40:55 GMT 2024

Total time taken to generate the page: 0.02740 seconds