|
|
Post by bzzzz on Apr 7, 2023 11:27:35 GMT -5
you can set your username to anything (any html) when commenting on post if you edit http request I set my username to: redacted because proboards thinks I put script in plugin: Your script with the Ajax request (and any use thereof) is a violation of our Developer Guidelines. (https://www.proboards.com/developer-guidelines) We ask that you please remove all violating content from the forum within 48 hours. Examples of violating content includes but may not be limited to: gdforum.freeforums.net/post/919654/threadPlease take the time to familiarize yourself with our policies so that there are no issues in the future. Terms of Service: www.proboards.com/tosCommunity Guidelines: www.proboards.com/community_guidelinesDeveloper Guidelines: www.proboards.com/developer-guidelinesIf you have any questions, please contact our Abuse Department at abuseteam@proboards.com. ProBoards Abuse Department abuseteam@proboards.com this bug is kinda bad because reply in shoutbox can make you do stuff automatically (like voting) and modify pages |
|
|
|
Post by bzzzz on Apr 8, 2023 0:14:45 GMT -5
|
|
|
|
Post by Jayflight on Apr 8, 2023 9:10:38 GMT -5
Another interesting glitch. I think I need to start relearning how to program so I can actually look into these things...
I didn't delete the h thread or your posts in it, by the way; it's just archived (only staff can see it) for the moment so more people don't click on it and start automatically posting (since overly frequent posts could lag the forum in general, especially for mobile users). I am willing to unarchive it if anybody wants to take a closer look at their discretion, though.
|
|
WillFlame
Owner
Direful Reflection
An idea has taken root.
5,190 posts
Discord: WillFlame#5739
Favorite Level: Colourful Overnight
Mini-Profile Background: {"image":"https://i.imgur.com/4y98NDS.png","color":""}
Mini-Profile Name Color: 00a3ff
Mini-Profile Text Color: ffffff
|
Post by WillFlame on Apr 8, 2023 10:21:01 GMT -5
It looks like an injection vulnerability from proboards' end. I tried searching if anyone else has discovered this and found nothing, so I don't think there's much we can do. (We could disable the shoutbox, idk if it applies to normal posts as well?) The forum is pretty dead so I don't think there's much reason to destroy it, but it's probably better if you don't share the exact method and code you used publicly.
|
|
|
|
Post by bzzzz on Apr 8, 2023 10:27:12 GMT -5
don't click on it and start automatically posting clicking on it is not special, automatically posting happened every time logged in user loads page with shoutbox (I think that's all pages except error pages) also I deleted the comment with h posing script, there should no more h spam (unless you manually spam h or someone injects another script that posts h) |
|
|
|
Post by bzzzz on Apr 8, 2023 10:28:03 GMT -5
but you seem to have mentioned it applies to normal posts as well? no, only shoutbox comments |
|
WillFlame
Owner
Direful Reflection
An idea has taken root.
5,190 posts
Discord: WillFlame#5739
Favorite Level: Colourful Overnight
Mini-Profile Background: {"image":"https://i.imgur.com/4y98NDS.png","color":""}
Mini-Profile Name Color: 00a3ff
Mini-Profile Text Color: ffffff
|
Post by WillFlame on Apr 8, 2023 10:43:24 GMT -5
but you seem to have mentioned it applies to normal posts as well? no, only shoutbox comments Huh, I can disable the shoutbox then. There does seem to be a shoutbox-related plugin that attempted to fix a XSS vulnerability ( www.proboards.com/library/plugins/item/1347), but that's not its main purpose and idk if it'll apply before the entire page has loaded. If it can't be fixed otherwise, it sounds pretty bad and probably worth disabling the entire thing for. |
|
|
|
Post by bzzzz on Apr 9, 2023 9:34:32 GMT -5
Is shoutbox in gdforums (not anymore) builtin feature or plugin?
I don't know because I don't own any forum.
|
|
WillFlame
Owner
Direful Reflection
An idea has taken root.
5,190 posts
Discord: WillFlame#5739
Favorite Level: Colourful Overnight
Mini-Profile Background: {"image":"https://i.imgur.com/4y98NDS.png","color":""}
Mini-Profile Name Color: 00a3ff
Mini-Profile Text Color: ffffff
|
Post by WillFlame on Apr 9, 2023 11:25:53 GMT -5
The shoutbox is a built-in feature, which is why I'm hesitant to say that a plugin could fix it.
|
|
|
|
Post by bzzzz on Apr 15, 2023 3:40:17 GMT -5
The shoutbox is a built-in feature I created a forum to mess with shoutbox: shoutboxtestingasdfg.freeforums.net/but that shoutbox is different than gdforum's: doesn't have comments but has formatting buttons here is how my shoutbox settings look: |
|
|
|
Post by Jayflight on Apr 15, 2023 17:51:12 GMT -5
The shoutbox is a built-in feature I created a forum to mess with shoutbox: shoutboxtestingasdfg.freeforums.net/but that shoutbox is different than gdforum's: doesn't have comments but has formatting buttons here is how my shoutbox settings look: As a visitor to your forum, that shoutbox seems to be pretty much identical to the one here; all those settings are there because you're the one who created the forum, I suppose. Will has it disabled for now since there doesn't seem to be a way around that glitch. |
|
|
|
Post by bzzzz on Apr 16, 2023 1:17:02 GMT -5
As a visitor to your forum, that shoutbox seems to be pretty much identical to the one here; No, it's different: |
|
WillFlame
Owner
Direful Reflection
An idea has taken root.
5,190 posts
Discord: WillFlame#5739
Favorite Level: Colourful Overnight
Mini-Profile Background: {"image":"https://i.imgur.com/4y98NDS.png","color":""}
Mini-Profile Name Color: 00a3ff
Mini-Profile Text Color: ffffff
|
Post by WillFlame on Apr 16, 2023 18:52:25 GMT -5
Ah, you're right. There's another plugin that added support for shoutbox comments that the forum is using. If the vulnerability is only in the comments and due to this plugin, I can disable it and re-enable the forum shoutbox. Thanks for looking into this more btw, it's been really helpful. |
|
|
|
Post by bzzzz on Apr 17, 2023 0:00:03 GMT -5
If the vulnerability is only in the comments and due to this plugin, I can disable it and re-enable the forum shoutbox. yes, vulnerability is only in plugin
There's another plugin that added support for shoutbox comments that the forum is using. I will try to modify it's code to fix code injection (escape usernames). edit: wow plugin's code is so unnecessarily inefficient: for(a=(keyarray.length-1);a>-1;a--){
keyarray.sort(function(c, d){
return d.t-c.t
})
var temp = keyarray[a]
var user = ''
var message = '<span class="message">'+temp.d+'</span>'
var details = ''
var uid = parseInt(keyarray[a].i)
if(pb.data('user').id!=0)
if((uid==pb.data('user').id&&this.settings.admin_editdelete_permissions=='3')||pb.data('user').id==1||(this.settings.admin_editdelete_permissions=='2'&&pb.data('user').is_staff)||(this.settings.admin_editdelete_permissions=='3'&&pb.data('user').is_staff))
details+='<span class="details"><a class="shoutbox_cedit_button hidden" onclick="shoutCom.comment.edit('+keyarray[a].t+',this)">Edit</a>'
details+='<abbr class="time" data-timestamp="'+temp.t+'"></span>'
if(temp.i){
user=' <a class="user-link user-'+temp.i+'" href="/user/'+temp.i+'">'+temp.n+'</a>: '
}else{
user=' '+temp.n+': '
}
var html= '<span class="shoutbox-postclone content-boxclone shoutCom shoutCom'+temp.p+' shoutCollapse" style="display:block;margin-left:50px;margin-top:5px">'+user+message+details
if(pb.data('user').id!=0)
if((uid==pb.data('user').id&&this.settings.admin_editdelete_permissions=='3')||pb.data('user').id==1||(this.settings.admin_editdelete_permissions=='2'&&pb.data('user').is_staff)||(this.settings.admin_editdelete_permissions=='3'&&pb.data('user').is_staff))
html+='<a class="shoutbox_deleteclone" onclick="shoutCom.comment.remove('+temp.t+')">x</a></div>'
$('.shoutbox-post-'+temp.p).append(html)
}it sorts array EVERY LOOP ITERATION
array is not modified in loop (except the sort), so why not sort once at the beginning
edit 2: I can fix code injection but can't fix impersonation (commenters can still set user id and user name to anything, edit any comment), this seems to be limitation of proboards plugin server data storage
I can write my own plugin that transforms user1: hello
user2: c53253)hi(53253 is post id that you see in inspect element) to user1: hello
user2: hiinstead of using super keys then impersonation would be impossible but comments would take up space like normal messages |
|
WillFlame
Owner
Direful Reflection
An idea has taken root.
5,190 posts
Discord: WillFlame#5739
Favorite Level: Colourful Overnight
Mini-Profile Background: {"image":"https://i.imgur.com/4y98NDS.png","color":""}
Mini-Profile Name Color: 00a3ff
Mini-Profile Text Color: ffffff
|
Post by WillFlame on Apr 17, 2023 13:59:17 GMT -5
Just escaping usernames is probably good enough, I don't expect the forum to make any sort of revival so I'm mainly just concerned with keeping it usable for everyone still around. Of course, if you want to spend the effort to improve the plugin (avoiding impersonation, etc.) then be my guest, I'm not particularly concerned with any cosmetic changes that might be required. I'm surprised proboards moderation is still around and flagged your post, honestly.  |
|
