The Unofficial LineMarvel Forums  

Go Back   The Unofficial LineMarvel Forums > Everything Else
Reload this Page Double checking XSS suspicions.
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 27th February 2009
QuirkyQuark's Avatar
QuirkyQuark QuirkyQuark is offline
Demon Girl Pro
  
Join Date: Dec 2008
Location: Right behind you!
Posts: 147
QuirkyQuark no longer a lurker
Default Double checking XSS suspicions.
<script>
document.write("This is in javascript!");
alert("XSS Hole!");
</script>
You might want to take a look at this Aika, defiantly not cool.

PS: this is not in the forum dev section because html is disabled there.
__________________
Quote:
Originally Posted by aika View Post
Is that... normal hentai? Do I see consent?
That's disgusting You should be ashamed of yourself.
Last edited by QuirkyQuark; 27th February 2009 at 07:32.
Reply With Quote
  #2  
Old 27th February 2009
Lipucd's Avatar
Lipucd Lipucd is offline
Sex Demon
  
Join Date: Feb 2009
Posts: 260
Lipucd is a valued memberLipucd is a valued member
Default Re: Double checking XSS suspicions.
YARG!
Talk about a really easy bypass!
Needs to be fixed ASAP!
Reply With Quote
  #3  
Old 27th February 2009
XSI's Avatar
XSI XSI is offline
Tentacle God
  
Join Date: Nov 2008
Posts: 911
XSI is a celebrity of the forumXSI is a celebrity of the forumXSI is a celebrity of the forumXSI is a celebrity of the forumXSI is a celebrity of the forumXSI is a celebrity of the forumXSI is a celebrity of the forum
Default Re: Double checking XSS suspicions.
While this is not fixed, I suggest firefox with noscript, set it to not allow any scripts from anything on the forum.


Or just set any other browser to just not allow scripts.
__________________


Watching LM's site since jungle girl and lurking the forums since the start, lots of spare time.
Reply With Quote
  #4  
Old 27th February 2009
Diagasvesle's Avatar
Diagasvesle Diagasvesle is offline
Tentacle God
  
Join Date: Dec 2008
Location: I secretive
Posts: 2,728
Diagasvesle is a name known to allDiagasvesle is a name known to allDiagasvesle is a name known to allDiagasvesle is a name known to all
Send a message via MSN to Diagasvesle
Default Re: Double checking XSS suspicions.
How do you do that?
__________________
Phantasy is life GG. Tentacle hentai comes a close second.




Insanity
The road to happiness is paved with self delusion

Currently Working on and need votes for:
CYOAS Diagasvesle Style 3
Completed Adventure stories:
Choose your own adventure story DoP style. Diagasvesle.
Dead Adventure Stories:
C.Y.O.A.S Diagasvesle style 1
Reply With Quote
  #5  
Old 27th February 2009
Lipucd's Avatar
Lipucd Lipucd is offline
Sex Demon
  
Join Date: Feb 2009
Posts: 260
Lipucd is a valued memberLipucd is a valued member
Default Re: Double checking XSS suspicions.
Quote:
Originally Posted by Diagasvesle View Post
How do you do that?
Its a Javascript command, kinda shocked a chat board like this would just allow a user to do something like that under the "Html code".

@XSI: Oh I already had it thank you, but I knew something was up the SECOND the notice popped up...
Reply With Quote
  #6  
Old 27th February 2009
aika's Avatar
aika aika is offline
El Presidente
  
Join Date: Nov 2008
Location: Lunatic Pandora
Posts: 2,075
aika is famous around these partsaika is famous around these partsaika is famous around these partsaika is famous around these partsaika is famous around these partsaika is famous around these partsaika is famous around these partsaika is famous around these partsaika is famous around these partsaika is famous around these partsaika is famous around these parts
Send a message via MSN to aika
Default Re: Double checking XSS suspicions.
Hmm, is there any way to deal with this except completely forbidding html?
__________________
Reply With Quote
  #7  
Old 27th February 2009
QuirkyQuark's Avatar
QuirkyQuark QuirkyQuark is offline
Demon Girl Pro
  
Join Date: Dec 2008
Location: Right behind you!
Posts: 147
QuirkyQuark no longer a lurker
Default Re: Double checking XSS suspicions.
Depends if you've got control over the code or not. If you do, then it should just be a basic change to a central file. If you don't; you'd want to contact vBulletin, direct them to this page, tell them their code sucks, and turn off HTML while they fix it.

This is really pathetic. With code injection this easy, I could have a full worm up and running before anyone knew what the fuck was going on. Come on vBulletin, I expect more from you!

EDIT: and yes, noscript is really good.
__________________
Quote:
Originally Posted by aika View Post
Is that... normal hentai? Do I see consent?
That's disgusting You should be ashamed of yourself.
Reply With Quote
  #8  
Old 27th February 2009
aika's Avatar
aika aika is offline
El Presidente
  
Join Date: Nov 2008
Location: Lunatic Pandora
Posts: 2,075
aika is famous around these partsaika is famous around these partsaika is famous around these partsaika is famous around these partsaika is famous around these partsaika is famous around these partsaika is famous around these partsaika is famous around these partsaika is famous around these partsaika is famous around these partsaika is famous around these parts
Send a message via MSN to aika
Default Re: Double checking XSS suspicions.
Except that I have noscript whitelisting ulmf.org
__________________
Reply With Quote
  #9  
Old 27th February 2009
aika's Avatar
aika aika is offline
El Presidente
  
Join Date: Nov 2008
Location: Lunatic Pandora
Posts: 2,075
aika is famous around these partsaika is famous around these partsaika is famous around these partsaika is famous around these partsaika is famous around these partsaika is famous around these partsaika is famous around these partsaika is famous around these partsaika is famous around these partsaika is famous around these partsaika is famous around these parts
Send a message via MSN to aika
Default Re: Double checking XSS suspicions.
Interesting, this hasn't been disabled although I disabled [html] tags.

Hmm.

Can someone other than me try posting that again?
__________________
Reply With Quote
  #10  
Old 27th February 2009
QuirkyQuark's Avatar
QuirkyQuark QuirkyQuark is offline
Demon Girl Pro
  
Join Date: Dec 2008
Location: Right behind you!
Posts: 147
QuirkyQuark no longer a lurker
Default Re: Double checking XSS suspicions.
<script>
document.write("This is in javascript!");
</script>

looks fixed to me.
__________________
Quote:
Originally Posted by aika View Post
Is that... normal hentai? Do I see consent?
That's disgusting You should be ashamed of yourself.
Reply With Quote
  #11  
Old 27th February 2009
aika's Avatar
aika aika is offline
El Presidente
  
Join Date: Nov 2008
Location: Lunatic Pandora
Posts: 2,075
aika is famous around these partsaika is famous around these partsaika is famous around these partsaika is famous around these partsaika is famous around these partsaika is famous around these partsaika is famous around these partsaika is famous around these partsaika is famous around these partsaika is famous around these partsaika is famous around these parts
Send a message via MSN to aika
Default Re: Double checking XSS suspicions.
Excellent.

I removed the original because it was annoying.
__________________
Reply With Quote
  #12  
Old 28th February 2009
QuirkyQuark's Avatar
QuirkyQuark QuirkyQuark is offline
Demon Girl Pro
  
Join Date: Dec 2008
Location: Right behind you!
Posts: 147
QuirkyQuark no longer a lurker
Default Re: Double checking XSS suspicions.
Now I feel sad that I gave up a perfectly good chance to take over the forums and make myself a mod.
/cry
__________________
Quote:
Originally Posted by aika View Post
Is that... normal hentai? Do I see consent?
That's disgusting You should be ashamed of yourself.
Reply With Quote
  #13  
Old 28th February 2009
Nunu's Avatar
Nunu Nunu is offline
Despot
  
Join Date: Nov 2008
Location: A little to the left
Posts: 3,538
Nunu has a reputation beyond reputeNunu has a reputation beyond reputeNunu has a reputation beyond reputeNunu has a reputation beyond reputeNunu has a reputation beyond reputeNunu has a reputation beyond reputeNunu has a reputation beyond reputeNunu has a reputation beyond reputeNunu has a reputation beyond reputeNunu has a reputation beyond reputeNunu has a reputation beyond repute
Send a message via AIM to Nunu Send a message via MSN to Nunu Send a message via Yahoo to Nunu
Default Re: Double checking XSS suspicions.
Is that a dare or something... you think you could defeat me?!?
__________________
"I make awesome decision in bike stores" - Kanye West
Reply With Quote
  #14  
Old 28th February 2009
QuirkyQuark's Avatar
QuirkyQuark QuirkyQuark is offline
Demon Girl Pro
  
Join Date: Dec 2008
Location: Right behind you!
Posts: 147
QuirkyQuark no longer a lurker
Default Re: Double checking XSS suspicions.
I hadn't seen you around for a bit, I figured I'd have at least some time before the mighty Nunu crushed me.
__________________
Quote:
Originally Posted by aika View Post
Is that... normal hentai? Do I see consent?
That's disgusting You should be ashamed of yourself.
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


All times are GMT. The time now is 06:23.

The ULMF Forums - Archive - Top

Powered by vBulletin® Version 3.7.4
Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.