| XSS [message #24494] |
Fri, 29 April 2005 05:04  |
Cr00t
Messages: 16
Registered: February 2003
Location: Russia
Karma: 0
|
Junior Member |
|
|
I use version 2.6.9.
Where is XSS trouble... Please fix it!
use smth like this: [url=javascript:alert('ggggg, xss?');]
::: don't gimme namez :::
|
|
|
|
| Re: XSS [message #24496 is a reply to message #24494] |
Fri, 29 April 2005 12:18  |
Ilia
Messages: 13241
Registered: January 2002
Karma: 0
|
Senior Member
Administrator
Core Developer |
|
|
ha? There is no XSS, the forum specifically checks for javascript in URL and img tags and preventsm it's usage, this has been there almost since version 1.0.
FUDforum Core Developer
|
|
|
|
| Re: XSS [message #24503 is a reply to message #24496] |
Fri, 29 April 2005 15:30 |
Cr00t
Messages: 16
Registered: February 2003
Location: Russia
Karma: 0
|
Junior Member |
|
|
Ok. Thx for answer
::: don't gimme namez :::
|
|
|
|
| Re: XSS [message #24506 is a reply to message #24496] |
Fri, 29 April 2005 19:26 |
Cr00t
Messages: 16
Registered: February 2003
Location: Russia
Karma: 0
|
Junior Member |
|
|
| Ilia писал(а) Птн, 29 Апреля 2005 16:18 |
ha? There is no XSS, the forum specifically checks for javascript in URL and img tags and preventsm it's usage, this has been there almost since version 1.0.
|
Yeap, there is a filter, like this:
if (strpos(strtolower($parms), 'javascript:') === false) {
but i can bypass it using special symbols, most of them in 16
if i type "javascrip&_#116;" (without "_" symbol) this filter works, but browser look at the code and execute "javascrip&_#116;" (without "_" symbol)!
::: don't gimme namez :::
|
|
|
|
| Re: XSS [message #24507 is a reply to message #24506] |
Fri, 29 April 2005 19:38 |
Ilia
Messages: 13241
Registered: January 2002
Karma: 0
|
Senior Member
Administrator
Core Developer |
|
|
Nope still does not work. The URL appears like this:
<a href="javascript&_#116;alert('ggggg, xss?');" target="_blank">TEST</a>
That's not going to work either.
FUDforum Core Developer
|
|
|
|
| Re: XSS [message #24514 is a reply to message #24507] |
Sat, 30 April 2005 15:01 |
Ilia
Messages: 13241
Registered: January 2002
Karma: 0
|
Senior Member
Administrator
Core Developer |
|
|
As you can see it does not work, it does make a link but it's not valid and certainly will not result in JavaScript being executed.
FUDforum Core Developer
|
|
|
|
| Re: XSS [message #24519 is a reply to message #24514] |
Sat, 30 April 2005 19:38 |
Cr00t
Messages: 16
Registered: February 2003
Location: Russia
Karma: 0
|
Junior Member |
|
|
Почему у вас на форуме данный линк не работает, а у меня работает?
[url=javascript:alert('ЫЫЫЫЫЫЫЫ, 123');]Нехороший линк[/url]
::: don't gimme namez :::
|
|
|
|
| Re: XSS [message #24520 is a reply to message #24519] |
Sat, 30 April 2005 19:52 |
Ilia
Messages: 13241
Registered: January 2002
Karma: 0
|
Senior Member
Administrator
Core Developer |
|
|
Perhaps you made some modifications to the forum that altered the post processing behaviour.
FUDforum Core Developer
|
|
|
|
| Re: XSS [message #24521 is a reply to message #24520] |
Sun, 01 May 2005 04:55 |
Cr00t
Messages: 16
Registered: February 2003
Location: Russia
Karma: 0
|
Junior Member |
|
|
| Ilia писал(а) Сбт, 30 Апреля 2005 23:52 |
Perhaps you made some modifications to the forum that altered the post processing behaviour.
|
what modifications? i have original forum, no hacks. Right now forum version is 2.6.12
::: don't gimme namez :::
|
|
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]