Skip to:
Content
Pages
Categories
Search
Top
Bottom

Security Issue (Javascript Insertion)


  • tom.mccabe
    Member

    @tommccabe-1

    Hey everyone. I believe there’s a security flaw within BBPress that allows for any forum user to insert JavaScript into their posts. For instance, the following code replaces instances of “oldStuff” with “newStuff”:

    [img]http://www.whatever.net/forums/bb-admin/images/blank.gi” style=”display:none;” onerror=”this.parentNode.parentNode.parentNode.parentNode.parentNode.innerHTML = this.parentNode.parentNode.parentNode.parentNode.parentNode.innerHTML.replace(/oldStuff|onerror/g,’newStuff’);[/img]

    What are the patching instructions? Thanks.

Viewing 6 replies - 1 through 6 (of 6 total)
  • By default, bbPress does not allow using the img tag, it needs a plugin for this functionality. Of course, the given attributes style and any kind of JavaScript handler is highly unwanted, but it is a weakness in the plugin’s code, which has to be patched asap.


    tom.mccabe
    Member

    @tommccabe-1

    I’m using the Allow Images plugin (http://bbpress.org/plugins/topic/allow-images/).


    zaerl
    Participant

    @zaerl

    I cannot reproduce the bug. The plugin is well written:

    $tags['img'] = array('src' => array(), 'title' => array(), 'alt' => array());

    only src, title and alt attributes are allowed. Can you share a pastebin link with the exact rogue text?


    _ck_
    Participant

    @_ck_

    Oh frack, it’s bbcode-lite.

    I run through post-text so the bbpress parser never fires.

    Fortunately img is disabled by default but I bet people turn it on.

    Working on a fix.


    _ck_
    Participant

    @_ck_

    Double frack, it’s not just IMG.

    Working hard on a fix.

    All BBcode-lite users should upgrade to 1.0.5 IMMEDIATELY

    (regardless if you allow images or not)

    http://bbpress.org/plugins/topic/bbcode-lite/

    http://plugins-svn.bbpress.org/bbcode-lite/trunk/


    _ck_
    Participant

    @_ck_

    Okay here’s the reality.

    Basically bbPress doesn’t run it’s tag filter on post_text when the text is finally displayed, because it would be too slow.

    Instead it only checks tags during saving time and filters then.

    If an item is not a tag AT SAVE TIME it won’t get checked.

    That is how this is slipping through, because bbcode are not html tags.

    I have a quick, dirty fix.

    Basically anything that gets stuck INSIDE a tag ie. [HERE] = < HERE > is no longer allowed to contain spaces, single quote or double quote. Stuff [blah]HERE[/blah] = <blah>HERE</blah> is okay.

    Preventing spaces alone, in theory, should be enough. Even url or entity encoding won’t get properly parsed. It will simply display as plain text and then you can see who is posting what instead of hidden stuff.

    The only good news is that this problem in theory should not allow admin cookies to be stolen since the last version of 0.9 and 1.x already use HttpOnly cookies which cannot be read by javascript.

    The downside of the quick-fix is that secondary attributes are no longer possible until I come up with another way. Example of secondary would be alt or title etc.

    Many thanks for reporting this Tom!

Viewing 6 replies - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.