The Arcive of Official vBulletin Modifications Site.

PHPSpellchecker for VB2.x! (Beta) · **Released**: 07-14-2002

OK, finally here is the code for the PHPSpellchecker!
If you find any bugs, please post your findings here

Check out the Zip file for more info.

Enjoy!
Raz

Note: You will require PSpell (inc ASpell) installed.

Paul · #62 11-02-2002, 06:21 PM

Well, this script needs a couple of security modifications--it's open to XSS vulnerabilities big time.

I don't have time to look at the code right now, but perhaps someone who's more familiar with javascript could take a look at this. Using the word "javascript" in the text of a message you're spell checking will let you run whatever you'd like. This needs to be htmlspecialchars()'d and properly handle the word javascript in a message.

Raz · #63 11-02-2002, 06:27 PM

Quote:

Originally posted by Prince
I deinstalled this hack and gave up on it since Raz does not seem interested in fixing it.

Sorry about that, been busy with other stuff.

The error message means you don't have pspell compiled into PHP.

Raz · #64 11-02-2002, 06:28 PM

Quote:

Originally posted by LoveShack
Well, this script needs a couple of security modifications--it's open to XSS vulnerabilities big time.

I don't have time to look at the code right now, but perhaps someone who's more familiar with javascript could take a look at this. Using the word "javascript" in the text of a message you're spell checking will let you run whatever you'd like. This needs to be htmlspecialchars()'d and properly handle the word javascript in a message.

Can you give an example?

I can't seem to reproduce what you're saying.

The line "$outtext = htmlentities(stripslashes($checktext));" should prevent what you are experiencing.

Paul · #65 11-02-2002, 06:33 PM

Try the following condition:

<misspelt word> javascript </script>

I.e.

d0gzasdf javascript </script>

Raz · #66 11-02-2002, 06:37 PM

This is the output I get:

Quote:

<font face="Verdana, Arial, Helvetica, sans-serif" size="2">d0gzasdf <a href="javascript:submitWord('javascript')" name="word2"><font color=red><b>javascript</b></font></a> </script></font></body></html>

Seems harmless.

Paul · #67 11-02-2002, 06:43 PM

Oops. I mixed up examples

Appending </script> to the body will cause an error when pressing "Finished Checking" ... to see the javascript issue, remove the </script>.

Try asdfasdf javascript asdfasdf

Raz · #68 11-02-2002, 06:45 PM

Yep got some malformed output. But still can't understand how this can be exploited.

The reason its malformed is because it replaces all javascript references, including the ones the spellchecker creates to a link to be corrected.

Paul · #69 11-03-2002, 01:47 AM

Hrmm. I haven't been able to come up with a way to exploit it myself, but seeing as input text is being processed as part of the script, a bunch of red flags go up.

How can we sandbox it?

Any luck with Netscape/Opera?

Paul · #70 11-03-2002, 02:30 AM

Just a note on the NS/Opera issue--I have a suspicion that the hidden form being called in spellcheck.php is the problem here--specifically, I think forms are only recognized by NS/Opera within <body></body> tags--since this form is hidden in a frameset page, I believe that's where the problem is arising.

I'll let you know what I find out.

Paul · #71 11-03-2002, 03:28 AM

Unfortunately, you can't have <body> and <frameset> tags in the same page. I've been able to confirm that the issue with Netscape and Opera is the <form> code being placed in the frameset in spellcheck.php--this is illegal html. According to w3c specifications, <form> can only be placed within <body> tags.

I don't know enough javascript to get this thing to work -- would it be possible to move the form to the templates instead?

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.05212 seconds Memory Usage 2,301KB Queries Executed 25 (?)
More Information
Template Usage: (1)SHOWTHREAD (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)ad_showthread_beforeqr (3)bbcode_quote (1)footer (1)forumjump (1)forumrules (1)gobutton (1)header (1)headinclude (1)modsystem_post (1)navbar (6)navbar_link (120)option (1)pagenav (1)pagenav_curpage (4)pagenav_pagelink (11)post_thanks_box (11)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (11)post_thanks_postbit_info (10)postbit (11)postbit_onlinestatus (11)postbit_wrapper (1)spacer_close (1)spacer_open (1)tagbit_wrapper Phrase Groups Available: global inlinemod postbit posting reputationlevel showthread	Included Files: ./showthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showthread_start showthread_getinfo forumjump showthread_post_start showthread_query_postids showthread_query bbcode_fetch_tags bbcode_create showthread_postbit_create postbit_factory postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end fetch_musername postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start pagenav_page pagenav_complete tag_fetchbit_complete forumrules navbits navbits_complete showthread_complete
Messages:

The Arcive of Official vBulletin Modifications Site.

It is not a VB3 engine, just a parsed copy!