Go Back   vb.org Archive > vBulletin Modifications > vBulletin 4.x Modifications > vBulletin 4.x Add-ons
Disable Webkit Browser XSS Protection Details »»
Disable Webkit Browser XSS Protection
Version: 1.00, by Internet Brands Internet Brands is offline
Developer Last Online: Mar 2012 Show Printable Version Email this Page

Category: Miscellaneous Hacks - Version: 4.x.x Rating:
Released: 12-29-2011 Last Update: Never Installs: 21
Uses Plugins
Translations  
No support by the author.

The Chrome Xss prevention feature can trigger false positives on some vBulletin boards.

This occurs when people make posts that contain references to JS files that vbulletin uses.

Chrome detects that the content of the post contains the same scripts that the resulting page intends to run and disallows the load (this occurs even if the post escapes the scripts properly so they cannot be interpreted as code).

Chrome are aware of the problem, but do not intend to provide a fix. The only workaround is to disable the Xss prevention feature in Chrome, which can be done via a HTTP header.

Since the actual occurrence of this problem appears to be quite limited, this is considered to be too drastic of an action for general use.

We have therefore decided to make this small product available that causes vBulletin to emit the header (for admins who are affected).

Simply download an install as you would for any product.

While released for the 4.x series, this should also work on vB 3.6, 3.7 & 3.8.

For reference see ;

http://tracker.vbulletin.com/browse/VBIV-13539
http://tracker.vbulletin.com/browse/VBIV-13499

Download Now

File Type: xml product-vbwebkitxss.xml (1.1 KB, 80 views)

Show Your Support

  • This modification may not be copied, reproduced or published elsewhere without author's permission.

Comments
  #2  
Old 12-31-2011, 06:04 PM
OldSchoolDSL OldSchoolDSL is offline
 
Join Date: Oct 2010
Posts: 1,196
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications that enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites accounted for roughly 80.5% of all security vulnerabilities documented by Symantec as of 2007.[1] Their effect may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner.

http://en.wikipedia.org/wiki/Cross-site_scripting


So adding this could in theory, make your site less secure?!
Reply With Quote
  #3  
Old 12-31-2011, 07:54 PM
Zachery's Avatar
Zachery Zachery is offline
 
Join Date: Jul 2002
Location: Ontario, Canada
Posts: 11,440
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Freddies response
Quote:
This has turned into quite a project. The issue manifests itself when script references that are used to build the page are used within the title or editor. An example, typical vb page contains:
<script type="text/javascript" src="clientscript/yui/yuiloader-dom-event/yuiloader-dom-event.js?v=418"></script>

Now say we only were to use this in a title or in the editor:
src="clientscript/yui/yuiloader-dom-event/yuiloader-dom-event.js?v=418"

When the page is previewed or submitted Chrome will determine this to be an XSS attack, disabling javascript on the resultant page.

The issue stems from Google's XSS deterrent code not allowing a JS reference submitted with a REQUEST to then be called on the resultant page.
this happens even though we display the code as encoded, so it couldn't be used as an attack vector
I believe these issues to be false positives and Chrome to be at fault.
This should be a rare issue as it does not seem to be just triggered by any JS references but only those that are pre-existing within the HTML that vB calls.

The work around methods, as I see them are:

(a) Send the X-XSS-Protection:0 header which disables the XSS protection altogether.

(b) Obfuscate the submitted data in some manner so that it does not match js references that may be included in the source of the page. The problem is that we have no general way to modify data submitted via title fields via javascript, or even other fields that may appear on some forms throughout vBulletin. For example, the various fields within the User's setting page. Submitting the JS reference as one's biography will generate the Chrome error upon submit. Getting past that hurdle, the data then has to be reverted back to its unaltered form before saving to the database. There is no central method to do this either with hundreds of potential locations.

(c) We don't have to modify data when submitted but could just modify the received data and leave it as is, such that src="whatever" becomes _src = "whatever", which would bypass the problem. Still hundreds of locations that would need to be modified.

(d) do nothing, caveat emptor

vB3 suffers from the same issue.
Easiest fix, send the X-XSS-Protection:0 header to disable Chrome's XSS protection.
I'm open to comments.

I will see about contacting the Chrome team to get their opinion on this.
Response from a Chromium dev
Quote:
Originally Posted by Chromium dev
We don't have any current plans to resolve this kind of false positive. It seems likely a situation that won't occur very often. I'd expect most users of vBulletin not to copy and paste markup from vBulletin itself.
If you're particularly worried about this issue, you can disable the filter as discussed in Comment #3.
Reply With Quote
  #4  
Old 12-31-2011, 10:40 PM
Alfa1's Avatar
Alfa1 Alfa1 is offline
 
Join Date: Dec 2005
Location: Netherlands
Posts: 3,537
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

The response from the chromium dev seems utter nonsense. Offcourse vbulletin users copy content from vbulletin. Its called quoting. The guy must live under a rock.
Reply With Quote
  #5  
Old 08-05-2012, 09:40 AM
zascok zascok is offline
 
Join Date: Jul 2010
Posts: 146
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

wow. wasn't aware of that. Thanks
Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 07:01 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.03978 seconds
  • Memory Usage 2,255KB
  • Queries Executed 19 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (2)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)modsystem_post
  • (1)navbar
  • (4)navbar_link
  • (120)option
  • (5)post_thanks_box
  • (5)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (5)post_thanks_postbit_info
  • (4)postbit
  • (1)postbit_attachment
  • (5)postbit_onlinestatus
  • (5)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_attachment
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete