Menu
What's new
By:
Filters

Double checking XSS suspicions.


QuirkyQuark

QuirkyQuark

Lurker
Joined
Dec 10, 2008
Messages
173
Reputation score
12
<script>
document.write("This is in javascript!");
alert("XSS Hole!");
</script>
You might want to take a look at this Aika, defiantly not cool.

PS: this is not in the forum dev section because html is disabled there.
 
Last edited:
Lipucd

Lipucd

Lurker
Joined
Feb 6, 2009
Messages
486
Reputation score
66
Re: Double checking XSS suspicions.

YARG!
Talk about a really easy bypass!
Needs to be fixed ASAP!
 
XSI

XSI

Lurker
Joined
Nov 10, 2008
Messages
2,521
Reputation score
423
Re: Double checking XSS suspicions.

While this is not fixed, I suggest firefox with noscript, set it to not allow any scripts from anything on the forum.


Or just set any other browser to just not allow scripts.
 
Diagasvesle

Diagasvesle

Lurker
RP Moderator
Joined
Dec 22, 2008
Messages
4,263
Reputation score
56
Re: Double checking XSS suspicions.

How do you do that?
 
Lipucd

Lipucd

Lurker
Joined
Feb 6, 2009
Messages
486
Reputation score
66
Re: Double checking XSS suspicions.

Diagasvesle said:
How do you do that?
Click to expand...
Its a Javascript command, kinda shocked a chat board like this would just allow a user to do something like that under the "Html code".

@XSI: Oh I already had it thank you, but I knew something was up the SECOND the notice popped up...
 
aika

aika

El Presidente
Staff member
Administrator
Joined
Nov 9, 2008
Messages
3,042
Reputation score
182
Re: Double checking XSS suspicions.

Hmm, is there any way to deal with this except completely forbidding html?
 
OP
QuirkyQuark

QuirkyQuark

Lurker
Joined
Dec 10, 2008
Messages
173
Reputation score
12
Re: Double checking XSS suspicions.

Depends if you've got control over the code or not. If you do, then it should just be a basic change to a central file. If you don't; you'd want to contact vBulletin, direct them to this page, tell them their code sucks, and turn off HTML while they fix it.

This is really pathetic. With code injection this easy, I could have a full worm up and running before anyone knew what the fuck was going on. Come on vBulletin, I expect more from you!

EDIT: and yes, noscript is really good.
 
aika

aika

El Presidente
Staff member
Administrator
Joined
Nov 9, 2008
Messages
3,042
Reputation score
182
Re: Double checking XSS suspicions.

Except that I have noscript whitelisting ulmf.org :p
 
aika

aika

El Presidente
Staff member
Administrator
Joined
Nov 9, 2008
Messages
3,042
Reputation score
182
Re: Double checking XSS suspicions.

Interesting, this hasn't been disabled although I disabled
HTML: 
 tags.

Hmm.

Can someone other than me try posting that again?
 
OP
QuirkyQuark

QuirkyQuark

Lurker
Joined
Dec 10, 2008
Messages
173
Reputation score
12
Re: Double checking XSS suspicions.

<script>
document.write("This is in javascript!");
</script>

looks fixed to me.
 
aika

aika

El Presidente
Staff member
Administrator
Joined
Nov 9, 2008
Messages
3,042
Reputation score
182
Re: Double checking XSS suspicions.

Excellent.

I removed the original because it was annoying.
 
OP
QuirkyQuark

QuirkyQuark

Lurker
Joined
Dec 10, 2008
Messages
173
Reputation score
12
Re: Double checking XSS suspicions.

Now I feel sad that I gave up a perfectly good chance to take over the forums and make myself a mod.
/cry
 
Nunu

Nunu

Despot
Former Admin
Joined
Nov 9, 2008
Messages
3,806
Reputation score
312
Re: Double checking XSS suspicions.

Is that a dare or something... you think you could defeat me?!?
 
OP
QuirkyQuark

QuirkyQuark

Lurker
Joined
Dec 10, 2008
Messages
173
Reputation score
12
Re: Double checking XSS suspicions.

I hadn't seen you around for a bit, I figured I'd have at least some time before the mighty Nunu crushed me.
 
You must log in or register to reply here.
Top