FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » FUDforum Development » Bug Reports » Strange edit issue, possible malicious code?
Show: Today's Messages :: Unread Messages :: Show Polls :: Message Navigator
| Subscribe to topic | Bookmark topic 
Switch to threaded view of this topic Create a new topic Submit Reply
Strange edit issue, possible malicious code? [message #165308] Mon, 23 May 2011 10:14 Go to next message
gotzoom? is currently offline  gotzoom?   United States
Messages: 20
Registered: December 2006
Location: Silicon Valley, CA
Karma: 0
Junior Member
add to buddy list
ignore all messages by this user
I'm having an odd issue on 3.0.2.

When users link to a Google Picassaweb album, the URL displays and clicks through properly. When you quote a post, it displays there properly in the editor box, as well. However, when you edit the post, the "google" portion of the url gets replaces with "cheapairfare." When you save the edited post, the url reverts back to google again and the link operates properly. I have tested with non-google urls and I do not see this behavior.

Example:
[url=https://picasaweb.google.com/viettamluu/1999MiataForSale?authkey=Gv1sRgCL_q7eKW-amo1QE#]this link[/url]

turns into
[url=https://picasaweb.cheapairfare.com/viettamluu/1999MiataForSale?authkey=Gv1sRgCL_q7eKW-amo1QE#]that link[/url]

when the post is edited

I had an issue with spammers posting crap and using email addresses that contained "cheapairfare" so I added an email filter to ban anything from the domain they used.

This feels like a bug rather than the result of a vulnerability to me. Any thoughts on where I can go looking in the code to verify that I haven't been hacked? The server shows no signs of having been compromised.

[Updated on: Mon, 23 May 2011 10:15]

Report message to a moderator

Re: Strange edit issue, possible malicious code? [message #165309 is a reply to message #165308] Mon, 23 May 2011 10:38 Go to previous messageGo to next message
gotzoom? is currently offline  gotzoom?   United States
Messages: 20
Registered: December 2006
Location: Silicon Valley, CA
Karma: 0
Junior Member
add to buddy list
ignore all messages by this user
I think I figured out what the problem is. It seems to be a bug with the Replacement and Censorship System. I forgot that I set up some word replacements and I think this is causing the issue.

I have "cheapairfare" set to be replaced with "google." It seems as if the replacement system is broken and operates in reverse when using the edit function. I'll do more testing on this and see if I can provide some good test cases.
Re: Strange edit issue, possible malicious code? [message #165310 is a reply to message #165308] Mon, 23 May 2011 10:42 Go to previous messageGo to next message
naudefj is currently offline  naudefj   South Africa
Messages: 3624
Registered: December 2004
Karma: 17
Senior Member
Administrator
Core Developer
remove from buddy list
ignore all messages by this user
Difficult to tell.
I can try to reproduce it on my forum, but will need details about your e-mail filters.
Re: Strange edit issue, possible malicious code? [message #165311 is a reply to message #165310] Mon, 23 May 2011 11:03 Go to previous messageGo to next message
gotzoom? is currently offline  gotzoom?   United States
Messages: 20
Registered: December 2006
Location: Silicon Valley, CA
Karma: 0
Junior Member
add to buddy list
ignore all messages by this user
I just confirmed it is the replacement system causing the problem.

Test case:
Google website

Steps to reproduce:

1. Create a "simple replace" filter with the "Replace Mask" set to "abunchoftext" and "Replace With" set to "google."

2. Come back to this post and "edit" it.

You will see
Test case:
[url=http://www.google.com]Google website[/url]

has now been changed to
Test case:
[url=http://www.abunchoftext.com]Google website[/url]
Re: Strange edit issue, possible malicious code? [message #165313 is a reply to message #165311] Mon, 23 May 2011 11:40 Go to previous messageGo to next message
naudefj is currently offline  naudefj   South Africa
Messages: 3624
Registered: December 2004
Karma: 17
Senior Member
Administrator
Core Developer
remove from buddy list
ignore all messages by this user
That is expected behaviour for a Simple Replace.

You can control the reverse replacement logic with a Perl Regex.
Re: Strange edit issue, possible malicious code? [message #165317 is a reply to message #165313] Mon, 23 May 2011 12:45 Go to previous messageGo to next message
gotzoom? is currently offline  gotzoom?   United States
Messages: 20
Registered: December 2006
Location: Silicon Valley, CA
Karma: 0
Junior Member
add to buddy list
ignore all messages by this user
I think I'm not explaining this very well, then.

Is this correct:
Replace Mask = the text to be replaced
Replace With = "Replace Mask" is removed and replaced with this

If I have that right, and it is working properly, "abunchoftext" should be replaced by "google." This is not happening. The reverse is what happens. But, it only happens in the text box when you "edit" an existing post.

When you create the post initially, you are able to have a url containing "google" and it displays properly on the post and you go to the expected url when you click the link. If you then edit that post, you see the opposite of what is expected text replacement ("google" gets replaced by "abunchoftext.") When you save that edit, the post goes back to the original url containing "google."

This does not seem to be working in an expected manner to me.
Re: Strange edit issue, possible malicious code? [message #165318 is a reply to message #165317] Mon, 23 May 2011 13:04 Go to previous message
naudefj is currently offline  naudefj   South Africa
Messages: 3624
Registered: December 2004
Karma: 17
Senior Member
Administrator
Core Developer
remove from buddy list
ignore all messages by this user
There is no way for it to know that it shouldn't do the reverse replacement:

Setup a simple replace A -> B
Post a message with A - system replaces A with B
Edit a message with B - reverse replacement B to A

If you don't like this, use a Perl Replace or submit a patch to change the current behaviour.
Quick Reply
Formatting Tools:   
  Switch to threaded view of this topic Create a new topic
Previous Topic: Strange character appearing in piped mail
Next Topic: Banned Users, Threads locking, threads moving
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Tue Oct 17 05:23:31 EDT 2017

Total time taken to generate the page: 0.00790 seconds