FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » FUDforum Development » FUDforum 3.0+ » XSS
Show: Today's Messages :: Unread Messages :: Show Polls :: Message Navigator
| Subscribe to topic | Bookmark topic 
Switch to threaded view of this topic Create a new topic Submit Reply
XSS [message #24494] Fri, 29 April 2005 01:04 Go to next message
Cr00t is currently offline  Cr00t   Russian Federation
Messages: 16
Registered: February 2003
Location: Russia
Karma: 0
Junior Member
add to buddy list
ignore all messages by this user
I use version 2.6.9.

Where is XSS trouble... Please fix it!

use smth like this: [url=javascript:alert('ggggg, xss?');]


::: don't gimme namez :::
Re: XSS [message #24496 is a reply to message #24494] Fri, 29 April 2005 08:18 Go to previous messageGo to next message
Ilia is currently offline  Ilia   Canada
Messages: 13241
Registered: January 2002
Karma: 0
Senior Member
Administrator
Core Developer
add to buddy list
ignore all messages by this user
ha? There is no XSS, the forum specifically checks for javascript in URL and img tags and preventsm it's usage, this has been there almost since version 1.0.

FUDforum Core Developer
Re: XSS [message #24503 is a reply to message #24496] Fri, 29 April 2005 11:30 Go to previous messageGo to next message
Cr00t is currently offline  Cr00t   Russian Federation
Messages: 16
Registered: February 2003
Location: Russia
Karma: 0
Junior Member
add to buddy list
ignore all messages by this user
Ok. Thx for answer

::: don't gimme namez :::
Re: XSS [message #24506 is a reply to message #24496] Fri, 29 April 2005 15:26 Go to previous messageGo to next message
Cr00t is currently offline  Cr00t   Russian Federation
Messages: 16
Registered: February 2003
Location: Russia
Karma: 0
Junior Member
add to buddy list
ignore all messages by this user
Ilia писал(а) Птн, 29 Апреля 2005 16:18

ha? There is no XSS, the forum specifically checks for javascript in URL and img tags and preventsm it's usage, this has been there almost since version 1.0.


Yeap, there is a filter, like this:

if (strpos(strtolower($parms), 'javascript:') === false) { 


but i can bypass it using special symbols, most of them in 16

if i type "javascrip&_#116;" (without "_" symbol) this filter works, but browser look at the code and execute "javascrip&_#116;" (without "_" symbol)!


::: don't gimme namez :::
Re: XSS [message #24507 is a reply to message #24506] Fri, 29 April 2005 15:38 Go to previous messageGo to next message
Ilia is currently offline  Ilia   Canada
Messages: 13241
Registered: January 2002
Karma: 0
Senior Member
Administrator
Core Developer
add to buddy list
ignore all messages by this user
Nope still does not work. The URL appears like this:
<a href="javascript&amp;_#116;alert('ggggg, xss?');" target="_blank">TEST</a>

That's not going to work either.


FUDforum Core Developer
Re: XSS [message #24514 is a reply to message #24507] Sat, 30 April 2005 11:01 Go to previous messageGo to next message
Ilia is currently offline  Ilia   Canada
Messages: 13241
Registered: January 2002
Karma: 0
Senior Member
Administrator
Core Developer
add to buddy list
ignore all messages by this user
As you can see it does not work, it does make a link but it's not valid and certainly will not result in JavaScript being executed.

FUDforum Core Developer
Re: XSS [message #24519 is a reply to message #24514] Sat, 30 April 2005 15:38 Go to previous messageGo to next message
Cr00t is currently offline  Cr00t   Russian Federation
Messages: 16
Registered: February 2003
Location: Russia
Karma: 0
Junior Member
add to buddy list
ignore all messages by this user
Почему у вас на форуме данный линк не работает, а у меня работает?

[url=javascript:alert('ЫЫЫЫЫЫЫЫ, 123');]Нехороший линк[/url]





::: don't gimme namez :::
Re: XSS [message #24520 is a reply to message #24519] Sat, 30 April 2005 15:52 Go to previous messageGo to next message
Ilia is currently offline  Ilia   Canada
Messages: 13241
Registered: January 2002
Karma: 0
Senior Member
Administrator
Core Developer
add to buddy list
ignore all messages by this user
Perhaps you made some modifications to the forum that altered the post processing behaviour.

FUDforum Core Developer
Re: XSS [message #24521 is a reply to message #24520] Sun, 01 May 2005 00:55 Go to previous messageGo to next message
Cr00t is currently offline  Cr00t   Russian Federation
Messages: 16
Registered: February 2003
Location: Russia
Karma: 0
Junior Member
add to buddy list
ignore all messages by this user
Ilia писал(а) Сбт, 30 Апреля 2005 23:52

Perhaps you made some modifications to the forum that altered the post processing behaviour.


what modifications? i have original forum, no hacks. Right now forum version is 2.6.12


::: don't gimme namez :::
Re: XSS [message #37745 is a reply to message #24494] Wed, 20 June 2007 10:12 Go to previous message
htimsl is currently offline  htimsl   United States
Messages: 1
Registered: June 2007
Karma: 0
Junior Member
add to buddy list
ignore all messages by this user
looks good to me!
  • Attachment: milton1.jpg
    (Size: 25.95KB, Downloaded 460 times)

[Updated on: Wed, 20 June 2007 10:12]

Report message to a moderator

Quick Reply
Formatting Tools:   
  Switch to threaded view of this topic Create a new topic
Previous Topic: Spell Check Button Help
Next Topic: Test Forums
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Thu Oct 19 16:18:58 EDT 2017

Total time taken to generate the page: 0.00516 seconds