vb.org Archive
Page 7 of 10 « First 56 7 89 Last »
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vBulletin 2.x Beta Releases (https://vborg.vbsupport.ru/forumdisplay.php?f=5)
-   -   PHPSpellchecker for VB2.x! (Beta) (https://vborg.vbsupport.ru/showthread.php?t=41071)

Paul 11-02-2002 06:21 PM
Well, this script needs a couple of security modifications--it's open to XSS vulnerabilities big time.

I don't have time to look at the code right now, but perhaps someone who's more familiar with javascript could take a look at this. Using the word "javascript" in the text of a message you're spell checking will let you run whatever you'd like. This needs to be htmlspecialchars()'d and properly handle the word javascript in a message.

Raz 11-02-2002 06:27 PM
Quote:
Originally posted by Prince
I deinstalled this hack and gave up on it since Raz does not seem interested in fixing it.
Sorry about that, been busy with other stuff.

The error message means you don't have pspell compiled into PHP.

Raz 11-02-2002 06:28 PM
Quote:
Originally posted by LoveShack
Well, this script needs a couple of security modifications--it's open to XSS vulnerabilities big time.

I don't have time to look at the code right now, but perhaps someone who's more familiar with javascript could take a look at this. Using the word "javascript" in the text of a message you're spell checking will let you run whatever you'd like. This needs to be htmlspecialchars()'d and properly handle the word javascript in a message.
Can you give an example?

I can't seem to reproduce what you're saying.

The line "$outtext = htmlentities(stripslashes($checktext));" should prevent what you are experiencing.

Paul 11-02-2002 06:33 PM
Try the following condition:

<misspelt word> javascript </script>

I.e.

d0gzasdf javascript </script>

Raz 11-02-2002 06:37 PM
This is the output I get:
Quote:
<font face="Verdana, Arial, Helvetica, sans-serif" size="2">d0gzasdf <a href="javascript:submitWord('javascript')" name="word2"><font color=red><b>javascript</b></font></a> &lt;/script&gt;</font></body></html>
Seems harmless.

Paul 11-02-2002 06:43 PM
Oops. I mixed up examples :) Appending </script> to the body will cause an error when pressing "Finished Checking" ... to see the javascript issue, remove the </script>.

Try asdfasdf javascript asdfasdf

Raz 11-02-2002 06:45 PM
Yep got some malformed output. But still can't understand how this can be exploited.

The reason its malformed is because it replaces all javascript references, including the ones the spellchecker creates to a link to be corrected.

Paul 11-03-2002 01:47 AM
Hrmm. I haven't been able to come up with a way to exploit it myself, but seeing as input text is being processed as part of the script, a bunch of red flags go up.

How can we sandbox it?

Any luck with Netscape/Opera?

Paul 11-03-2002 02:30 AM
Just a note on the NS/Opera issue--I have a suspicion that the hidden form being called in spellcheck.php is the problem here--specifically, I think forms are only recognized by NS/Opera within <body></body> tags--since this form is hidden in a frameset page, I believe that's where the problem is arising.

I'll let you know what I find out.

Paul 11-03-2002 03:28 AM
Unfortunately, you can't have <body> and <frameset> tags in the same page. I've been able to confirm that the issue with Netscape and Opera is the <form> code being placed in the frameset in spellcheck.php--this is illegal html. According to w3c specifications, <form> can only be placed within <body> tags.

I don't know enough javascript to get this thing to work -- would it be possible to move the form to the templates instead?


All times are GMT. The time now is 01:06 PM.
Page 7 of 10 « First 56 7 89 Last »
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01379 seconds
  • Memory Usage 1,739KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (3)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (4)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete