WillFlame
Owner
Direful Reflection
An idea has taken root.
5,190 posts
Discord: WillFlame#5739
Favorite Level: Colourful Overnight
Mini-Profile Background: {"image":"https://i.imgur.com/4y98NDS.png","color":""}
Mini-Profile Name Color: 00a3ff
Mini-Profile Text Color: ffffff
|
Post by WillFlame on Apr 8, 2023 11:37:05 GMT -5
A security vulnerability was discovered by bzzzz in the shoutbox which allowed for code injection. Until we figure out if it can be resolved or not (there doesn't seem to be any info about it on proboards' end), the shoutbox will unfortunately remain disabled.
UPDATE: bzzzz located the source of the vulnerability to a shoutbox plugin and has written a new plugin to replace its functionality, so the shoutbox has been re-enabled.
|
|
|
|
Post by LuMaIchArgI on Apr 9, 2023 0:22:10 GMT -5
allowed for code injection. good ol proboards moment. They've been hosting forums longer than I've been alive and they don't even have basic web security in current year |
|
|
|
Post by bzzzz on Apr 17, 2023 2:05:26 GMT -5
|
|
|
|
Post by LuMaIchArgI on Apr 19, 2023 9:17:51 GMT -5
Perhaps I was too harsh on them lol. Interesting and nice find. I didn't even know the shoutbox had a comment feature. Then again since the shout box doesn't appear on mobile, I've probably only even seen it a handful of times since I joined here |
|
|
|
Post by bzzzz on Apr 20, 2023 8:45:53 GMT -5
I just found an actual proboards moment: pb.plugin.key("key name here").set({
"value":{"</script>":"asd"}
})proboads server will generate {"</scr"+"ipt>":"asd"}in script tag in html
also found a html spec + proboards moment: pb.plugin.key("key name here").set({
"value":"<!--<script>"
})see uploadcare.com/blog/vulnerability-in-html-design/ |
|
