Oh, the stupidity
ZiNgA BuRgA Offline
Fag
*******
Posts: 3,357
Joined: Jan 2008
Post: #1
Oh, the stupidity
I find it highly amusing:
http://mybbrunway.com/forums/thread-mytips

Ignoring the fact that the second code given isn't even valid HTML, they don't seem to get it even if the problem is basically thrown at them in the face.

Oh well, most MyBB community members are stupid, there's nothing new about that.
But if you do see anyone use something like that on your forum, you can have a field day with XSS exploiting them (psst, I bet the OP has it installed on his forum, if you want to mess some thing up, gaining admin access to his forum might be fun - that might teach him to actually care about security issues reported to him and maybe think twice about not giving clueless people exploitable code).

My Blog
(This post was last modified: 10-21-2010 03:43 PM by ZiNgA BuRgA.)
10-21-2010 03:42 PM
Find all posts by this user Quote this message in a reply
1master1 Offline
Member
***
Posts: 232
Joined: Oct 2010
Post: #2
RE: Oh, the stupidity
seems to be he had gone off the limits of his mind thinking that he too can develop some copy paste mycodes. its better to have an idea about what the code do and how far it is necessary for us. i loled at the yumi's reply. Tongue
10-21-2010 10:40 PM
Find all posts by this user Quote this message in a reply
MattR Offline
Junior Member
**
Posts: 40
Joined: Jul 2010
Post: #3
RE: Oh, the stupidity
At least you tried to explain it. To be honest custom MyCodes aren't really something I ask about when people say they've been hacked but I guess I should, it's never really crossed my mind. With this you could write something to read a cookie (mybbuser to get loginkey, adminsid to get admin session), redirect to a file on your server that stores that, and then redirect back to the original thread so nobody'd realise. Or execute a MyBB action as the post key is stored in a javascript variable. Or redirect to porn, or some other dodgy site. Or kill your CPU. Even worse that it uses onmouseover, you don't even need to click the link.
(This post was last modified: 10-22-2010 08:04 AM by MattR.)
10-22-2010 07:59 AM
Find all posts by this user Quote this message in a reply
ZiNgA BuRgA Offline
Fag
*******
Posts: 3,357
Joined: Jan 2008
Post: #4
RE: Oh, the stupidity
Most MyCodes don't stick replacements in Javascript, which isn't too bad.

Most MyCodes I've seen, however, are vulnerable to some injection.  MyBB filters out most Javascript (it forgets some events such as onError, onKeyPress etc) and escapes < and > characters, so the worst is often avoided, but people really need to avoid using the (.*?) match.
I tried writing an Easy MyCodes plugin, but it doesn't seem to have attracted much attention.

If MyBB still doesn't filter " characters by the time custom MyCode is parsed, the example in the first post is even worse, as CSS can be injected, eg:

Code:
[tip]aba');" style="position: absolute; left: 0; top: 0; display: block; width: 100%; height: 10000%;" rel="[/tip]


My Blog
10-22-2010 09:11 AM
Find all posts by this user Quote this message in a reply
ZiNgA BuRgA Offline
Fag
*******
Posts: 3,357
Joined: Jan 2008
Post: #5
RE: Oh, the stupidity
Try it yourself.

My Blog
10-23-2010 09:35 AM
Find all posts by this user Quote this message in a reply
ZiNgA BuRgA Offline
Fag
*******
Posts: 3,357
Joined: Jan 2008
Post: #6
RE: Oh, the stupidity
Then what are you asking?

My Blog
10-23-2010 10:40 PM
Find all posts by this user Quote this message in a reply
MattR Offline
Junior Member
**
Posts: 40
Joined: Jul 2010
Post: #7
RE: Oh, the stupidity
Seem's Yumi's gone mad and has started talking to himself Tongue
(This post was last modified: 10-24-2010 07:03 AM by MattR.)
10-24-2010 07:03 AM
Find all posts by this user Quote this message in a reply
1master1 Offline
Member
***
Posts: 232
Joined: Oct 2010
Post: #8
RE: Oh, the stupidity
Yeah, MattR.
Well, yumi. As you said we need to avoid (.*?) match, this plugin contains this match and is it vulnerable?

http://community.mybb.com/thread-66696.html
10-24-2010 08:34 AM
Find all posts by this user Quote this message in a reply
ZiNgA BuRgA Offline
Fag
*******
Posts: 3,357
Joined: Jan 2008
Post: #9
RE: Oh, the stupidity
(10-24-2010 07:03 AM)MattR Wrote:  Seem's Yumi's gone mad and has started talking to himself Tongue
The fun of deleting messages - you can make the other person seem weird.
I'm guessing Imran has some connection with Shahaab and doesn't want others to be aware of it.

(10-24-2010 08:34 AM)1master1 Wrote:  this plugin contains this match and is it vulnerable?

http://community.mybb.com/thread-66696.html
Probably.

Code:
[img]http://example.com/invalid_image.gif" onerror="alert('hi');[/img]


My Blog
(This post was last modified: 10-24-2010 10:24 AM by ZiNgA BuRgA.)
10-24-2010 10:20 AM
Find all posts by this user Quote this message in a reply
Harry Offline
Member
***
Posts: 112
Joined: Mar 2010
Post: #10
RE: Oh, the stupidity
(10-24-2010 10:20 AM)ZiNgA BuRgA Wrote:  
(10-24-2010 07:03 AM)MattR Wrote:  Seem's Yumi's gone mad and has started talking to himself Tongue
The fun of deleting messages - you can make the other person seem weird.
I'm guessing Imran has some connection with Shahaab and doesn't want others to be aware of it.

(10-24-2010 08:34 AM)1master1 Wrote:  this plugin contains this match and is it vulnerable?

http://community.mybb.com/thread-66696.html
Probably.

Code:
[img]http://example.com/invalid_image.gif" onerror="alert('hi');[/img]


Ummm.. I thought these plugins etc were supposed to be checked for this sort of thing before they get added? In either case that thread should be closed/locked and deleted till the issue is fixed with that plugin.
10-24-2010 06:19 PM
Find all posts by this user Quote this message in a reply

« Next Oldest | Next Newest »

 Standard Tools
Forum Jump: