This is a blog post. To read the original post, please click here »
Apologies, today I found a major security hole in the bbcode system. Or, rather, I saw that a member had found it themselves and was using it in their signature.
While a cool signature, yes, this is a major breach and could have caused a lot of damage, and you really should have told us instead of taking advantage of it :|
The error was in the
Apologies, today I found a major security hole in the bbcode system. Or, rather, I saw that a member had found it themselves and was using it in their signature.
While a cool signature, yes, this is a major breach and could have caused a lot of damage, and you really should have told us instead of taking advantage of it :|
The error was in the
[ /float] bbcode, where one could simply start the line with a semicolon and construct their own style rules for any element. As such it was possible to do anything - cover up site logos, hide images from users, etc. I'm not sure but it might have allowed javascript to be executed which would have been even worse.
It's now been patched up - you can only use "simpletext" in style rules (so you can only use
It's now been patched up - you can only use "simpletext" in style rules (so you can only use
,
for example).
Apologies to those using this in their sigs - but it was exploitation and was a major hole that we didn't know existed :|
I've gone through all the other bbcodes in the system to make sure this is 100% not possible again.
Tags:
Posted under: Community Zine
Read this blog post »
Apologies to those using this in their sigs - but it was exploitation and was a major hole that we didn't know existed :|
I've gone through all the other bbcodes in the system to make sure this is 100% not possible again.
Tags:
Posted under: Community Zine
Read this blog post »