What's new
By:
Filters

Double checking XSS suspicions.


QuirkyQuark

QuirkyQuark

Lurker
Joined
Dec 10, 2008
Messages
173
Reputation score
12
<script>
document.write("This is in javascript!");
alert("XSS Hole!");
</script>
You might want to take a look at this Aika, defiantly not cool.

PS: this is not in the forum dev section because html is disabled there.
 
Last edited:
Re: Double checking XSS suspicions.

YARG!
Talk about a really easy bypass!
Needs to be fixed ASAP!
 
Re: Double checking XSS suspicions.

While this is not fixed, I suggest firefox with noscript, set it to not allow any scripts from anything on the forum.


Or just set any other browser to just not allow scripts.
 
Re: Double checking XSS suspicions.

How do you do that?
 
Re: Double checking XSS suspicions.

Diagasvesle said:
How do you do that?
Click to expand...

Its a Javascript command, kinda shocked a chat board like this would just allow a user to do something like that under the "Html code".

@XSI: Oh I already had it thank you, but I knew something was up the SECOND the notice popped up...
 
Re: Double checking XSS suspicions.

Hmm, is there any way to deal with this except completely forbidding html?
 
Re: Double checking XSS suspicions.

Depends if you've got control over the code or not. If you do, then it should just be a basic change to a central file. If you don't; you'd want to contact vBulletin, direct them to this page, tell them their code sucks, and turn off HTML while they fix it.

This is really pathetic. With code injection this easy, I could have a full worm up and running before anyone knew what the fuck was going on. Come on vBulletin, I expect more from you!

EDIT: and yes, noscript is really good.
 
Re: Double checking XSS suspicions.

Except that I have noscript whitelisting ulmf.org :p
 
Re: Double checking XSS suspicions.

Interesting, this hasn't been disabled although I disabled
HTML: 
 tags.

Hmm.

Can someone other than me try posting that again?
 
Re: Double checking XSS suspicions.

<script>
document.write("This is in javascript!");
</script>

looks fixed to me.
 
Re: Double checking XSS suspicions.

Excellent.

I removed the original because it was annoying.
 
Re: Double checking XSS suspicions.

Now I feel sad that I gave up a perfectly good chance to take over the forums and make myself a mod.
/cry
 
Re: Double checking XSS suspicions.

Is that a dare or something... you think you could defeat me?!?
 
Re: Double checking XSS suspicions.

I hadn't seen you around for a bit, I figured I'd have at least some time before the mighty Nunu crushed me.
 
You must log in or register to reply here.
Back
Top