FUDforum: Bug Reports » Strange edit issue, possible malicious code?

Home » FUDforum Development » Bug Reports » Strange edit issue, possible malicious code?

Show: Today's Messages :: Polls :: Message Navigator

Strange edit issue, possible malicious code? [message #165308]

Mon, 23 May 2011 14:14

gotzoom?

Messages: 20
Registered: December 2006
Location: Silicon Valley, CA

Karma: 0

Junior Member

I'm having an odd issue on 3.0.2.

When users link to a Google Picassaweb album, the URL displays and clicks through properly. When you quote a post, it displays there properly in the editor box, as well. However, when you edit the post, the "google" portion of the url gets replaces with "cheapairfare." When you save the edited post, the url reverts back to google again and the link operates properly. I have tested with non-google urls and I do not see this behavior.

Example:

[url=https://picasaweb.google.com/viettamluu/1999MiataForSale?authkey=Gv1sRgCL_q7eKW-amo1QE#]this link[/url]

turns into

[url=https://picasaweb.cheapairfare.com/viettamluu/1999MiataForSale?authkey=Gv1sRgCL_q7eKW-amo1QE#]that link[/url]

when the post is edited

I had an issue with spammers posting crap and using email addresses that contained "cheapairfare" so I added an email filter to ban anything from the domain they used.

This feels like a bug rather than the result of a vulnerability to me. Any thoughts on where I can go looking in the code to verify that I haven't been hacked? The server shows no signs of having been compromised.

[Updated on: Mon, 23 May 2011 14:15]

Report message to a moderator

Re: Strange edit issue, possible malicious code? [message #165309 is a reply to message #165308]

Mon, 23 May 2011 14:38

gotzoom?

Messages: 20
Registered: December 2006
Location: Silicon Valley, CA

Karma: 0

Junior Member

I think I figured out what the problem is. It seems to be a bug with the Replacement and Censorship System. I forgot that I set up some word replacements and I think this is causing the issue.

I have "cheapairfare" set to be replaced with "google." It seems as if the replacement system is broken and operates in reverse when using the edit function. I'll do more testing on this and see if I can provide some good test cases.

Report message to a moderator

Re: Strange edit issue, possible malicious code? [message #165310 is a reply to message #165308]

Mon, 23 May 2011 14:42

naudefj

Messages: 3771
Registered: December 2004

Karma: 28

Senior Member
Administrator
Core Developer

Difficult to tell.
I can try to reproduce it on my forum, but will need details about your e-mail filters.

Report message to a moderator

Re: Strange edit issue, possible malicious code? [message #165311 is a reply to message #165310]

Mon, 23 May 2011 15:03

gotzoom?

Messages: 20
Registered: December 2006
Location: Silicon Valley, CA

Karma: 0

Junior Member

I just confirmed it is the replacement system causing the problem.

Test case:
Google website

Steps to reproduce:

1. Create a "simple replace" filter with the "Replace Mask" set to "abunchoftext" and "Replace With" set to "google."

2. Come back to this post and "edit" it.

You will see

Test case:
[url=http://www.google.com]Google website[/url]

has now been changed to

Test case:
[url=http://www.abunchoftext.com]Google website[/url]

Report message to a moderator

Re: Strange edit issue, possible malicious code? [message #165313 is a reply to message #165311]

Mon, 23 May 2011 15:40

naudefj

Messages: 3771
Registered: December 2004

Karma: 28

Senior Member
Administrator
Core Developer

That is expected behaviour for a Simple Replace.

You can control the reverse replacement logic with a Perl Regex.

Report message to a moderator

Re: Strange edit issue, possible malicious code? [message #165317 is a reply to message #165313]

Mon, 23 May 2011 16:45

gotzoom?

Messages: 20
Registered: December 2006
Location: Silicon Valley, CA

Karma: 0

Junior Member

I think I'm not explaining this very well, then.

Is this correct:
Replace Mask = the text to be replaced
Replace With = "Replace Mask" is removed and replaced with this

If I have that right, and it is working properly, "abunchoftext" should be replaced by "google." This is not happening. The reverse is what happens. But, it only happens in the text box when you "edit" an existing post.

When you create the post initially, you are able to have a url containing "google" and it displays properly on the post and you go to the expected url when you click the link. If you then edit that post, you see the opposite of what is expected text replacement ("google" gets replaced by "abunchoftext.") When you save that edit, the post goes back to the original url containing "google."

This does not seem to be working in an expected manner to me.

Report message to a moderator

Re: Strange edit issue, possible malicious code? [message #165318 is a reply to message #165317]

Mon, 23 May 2011 17:04

naudefj

Messages: 3771
Registered: December 2004

Karma: 28

Senior Member
Administrator
Core Developer

There is no way for it to know that it shouldn't do the reverse replacement:

Setup a simple replace A -> B
Post a message with A - system replaces A with B
Edit a message with B - reverse replacement B to A

If you don't like this, use a Perl Replace or submit a patch to change the current behaviour.

Report message to a moderator

Previous Topic:	Strange character appearing in piped mail
Next Topic:	Banned Users, Threads locking, threads moving

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

]

Current Time: Sat May 18 09:33:32 GMT 2024

Total time taken to generate the page: 0.02289 seconds