Actually it might just be script injection... requires user interaction. Pretty low level vulnerability so far.
![[+]](/images/collapse_collapsed.png "[+]")
Click me!' - alert('hack!') - '1
"Kitto daijoubu da yo." - Sakura Kinomoto
|
XSS Error
|
RE: XSS Error
08-05-2022, 07:09 AM (This post was last modified: 08-05-2022, 07:11 AM by Bob Schroeck.)
Mm. Looking at what you posted there, it looks like it's more likely an issue with the spoiler plug-in I use than MyBBS proper, but I'll submit it to the MyBBS website after work.
-- Bob
I have been Roland, Beowulf, Achilles, Gilgamesh, Clark Kent, Mary Sue, DJ Croft, Skysaber. I have been called a hundred names and will be called a thousand more before the sun grows dim and cold.... 
Yes, well, the spoiler plug-in is limiting some unsafe characters, but not others — I had to use the hyphen to separate terms. But this is braindead security anyway. I’m sure I could write a better plugin.
"Kitto daijoubu da yo." - Sakura Kinomoto
Looking at the code of the spoiler plugin:
1) it's definitely the problem 2) I'm pretty sure I could string together arbitrary javascript because it allows dot and parentheses, which means I have access to eval() and can generate characters I need with String.fromCharCode(). Your risk profile is kind of limited because members need to be approved, and it still needs user interaction.
"Kitto daijoubu da yo." - Sakura Kinomoto
Given that, as you point out, the risk is low, I think I'll relax about it.
-- Bob
I have been Roland, Beowulf, Achilles, Gilgamesh, Clark Kent, Mary Sue, DJ Croft, Skysaber. I have been called a hundred names and will be called a thousand more before the sun grows dim and cold.... |
|
« Next Oldest | Next Newest »
|
Users browsing this thread: 1 Guest(s)