Snitz Forums 2000
Snitz Forums 2000
Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 Snitz Forums 2000 DEV-Group
 DEV Bug Reports (Open)
 V3.3(.03) BUG+FIX: inc_functions.asp
 New Topic  Topic Locked
 Printer Friendly
Next Page
Author Previous Topic Topic Next Topic
Page: of 2

bWM
Starting Member

3 Posts

Posted - 30 March 2002 :  15:22:04  Show Profile  Send bWM an ICQ Message
Hi folks!

I'm soo bored right now, why don't you write me a message?
info@badwebmasters.de" border=0>



Edited by - bWM on 30 March 2002 15:35:30

Rasco
Advanced Member

Germany
3192 Posts

Posted - 30 March 2002 :  17:23:42  Show Profile  Send Rasco an ICQ Message
Should I start up my mail-bombing program?

Go to Top of Page

RichardKinser
Snitz Forums Admin

USA
16655 Posts

Posted - 30 March 2002 :  18:48:12  Show Profile
in your inc_functions.asp, in the ReplaceImageTags function find this section of code:

 					strUrlText = replace(strUrlText, """", "") ' ## filter out "
'## Added to exclude Javascript and other potentially hazardous characters
strUrlText = replace(strUrlText, "&", "", 1, -1, 1) ' ## filter out &
strUrlText = replace(strUrlText, "#", "", 1, -1, 1) ' ## filter out #
strUrlText = replace(strUrlText, ";", "", 1, -1, 1) ' ## filter out ;
strUrlText = replace(strUrlText, "+", "", 1, -1, 1) ' ## filter out +
strUrlText = replace(strUrlText, "(", "", 1, -1, 1) ' ## filter out (
strUrlText = replace(strUrlText, ")", "", 1, -1, 1) ' ## filter out )
strUrlText = replace(strUrlText, "[", "", 1, -1, 1) ' ## filter out [
strUrlText = replace(strUrlText, "]", "", 1, -1, 1) ' ## filter out ]
strUrlText = replace(strUrlText, "=", "", 1, -1, 1) ' ## filter out =
strUrlText = replace(strUrlText, "*", "", 1, -1, 1) ' ## filter out *
strUrlText = replace(strUrlText, "'", "", 1, -1, 1) ' ## filter out '
strUrlText = replace(strUrlText, "javascript", "", 1, -1, 1) ' ## filter out javascript


add the following to that section:

					strUrlText = replace(strUrlText, "vbscript", "", 1, -1, 1) ' ## filter out vbscript
strUrlText = replace(strUrlText, "mailto", "", 1, -1, 1) ' ## filter out mailto

Go to Top of Page

bWM
Starting Member

3 Posts

Posted - 31 March 2002 :  10:22:10  Show Profile  Send bWM an ICQ Message
@Rasco
Aber nur wenn du in Deutsch schreibst

@Richard Kinser
by the way....

strUrlText = replace(strUrlText, "vbscript", "", 1, -1, 1)
Over 80% are using IE, so don't forget to disable VBS!!

greetZ Ben


Go to Top of Page

work mule
Senior Member

USA
1358 Posts

Posted - 01 April 2002 :  18:22:58  Show Profile
How about including the : character too?

Go to Top of Page

RichardKinser
Snitz Forums Admin

USA
16655 Posts

Posted - 01 April 2002 :  20:22:03  Show Profile
because http:// would become http//
Go to Top of Page

HuwR
Forum Admin

United Kingdom
20595 Posts

Posted - 02 April 2002 :  02:32:28  Show Profile  Visit HuwR's Homepage
the other problem with that Richard is that ther arequite a few different ways of writing vbscript and jscript which would fool your replace function

Go to Top of Page

RichardKinser
Snitz Forums Admin

USA
16655 Posts

Posted - 02 April 2002 :  02:40:34  Show Profile
can you give me some examples?
Go to Top of Page

Nathan
Help Moderator

USA
7664 Posts

Posted - 02 April 2002 :  02:48:52  Show Profile  Visit Nathan's Homepage
Do you mean like javascript:

  Nathan Bales - Romans 15:13
----------------------------------

Snitz Exchange | Do's and Dont's
Go to Top of Page

HuwR
Forum Admin

United Kingdom
20595 Posts

Posted - 02 April 2002 :  02:52:46  Show Profile  Visit HuwR's Homepage
Yes, but I gues the rest of the function will filter the & and # I gues, so it wouldn't matter

Go to Top of Page

RichardKinser
Snitz Forums Admin

USA
16655 Posts

Posted - 02 April 2002 :  02:57:11  Show Profile
Yep, that's why those characters were included.

javascript: would become: javascrx69pt:
Go to Top of Page

Nathan
Help Moderator

USA
7664 Posts

Posted - 02 April 2002 :  03:08:19  Show Profile  Visit Nathan's Homepage
Instead of filtering out those other characters, why not just convert them into their HTML entities. For example & would be converted to &#38.

Then when someone tried to put in javascript: It would become javascr&#38#x69;pt: which to the browser would just be javascript: instead of javascript:

  Nathan Bales - Romans 15:13
----------------------------------

Snitz Exchange | Do's and Dont's


Edited by - Nathan on 02 April 2002 03:10:24

Edited by - Nathan on 02 April 2002 03:10:59
Go to Top of Page

joatham
Junior Member

United Kingdom
169 Posts

Posted - 11 April 2002 :  06:20:45  Show Profile  Visit joatham's Homepage
quote:

in your inc_functions.asp, in the ReplaceImageTags function find this section of code:

strUrlText = replace(strUrlText, """", "") ' ## filter out "
'## Added to exclude Javascript and other potentially hazardous characters
{snip}


add the following to that section:
strUrlText = replace(strUrlText, "vbscript", "", 1, -1, 1) ' ## filter out vbscript
strUrlText = replace(strUrlText, "mailto", "", 1, -1, 1) ' ## filter out mailto





I haven't got any code like that in ReplaceImageTags function in inc_functions.asp with version 3.3.03, is this for Snitz v4?

John

Go to Top of Page

RichardKinser
Snitz Forums Admin

USA
16655 Posts

Posted - 11 April 2002 :  16:34:45  Show Profile
did you not install this update:

http://forum.snitz.com/forum/topic.asp?TOPIC_ID=23660
Go to Top of Page

joatham
Junior Member

United Kingdom
169 Posts

Posted - 14 April 2002 :  13:31:31  Show Profile  Visit joatham's Homepage
quote:

did you not install this update:

http://forum.snitz.com/forum/topic.asp?TOPIC_ID=23660


Ahh, no. Thanks for that, I will install it (and the changes) now.

John

For more snitz mods and information, see the Cosmic Cat Snitz Mods Homepage
Go to Top of Page

roberty
Starting Member

7 Posts

Posted - 09 May 2002 :  07:46:13  Show Profile
Hi,

My forum has been hacked ......

Can I just apply the security patches, do a database roll back ........

How can I go about fixing it ..... Thanks ....


Go to Top of Page
Page: of 2 Previous Topic Topic Next Topic  
Next Page
 New Topic  Topic Locked
 Printer Friendly
Jump To:
Snitz Forums 2000 © 2000-2021 Snitz™ Communications Go To Top Of Page
This page was generated in 0.11 seconds. Powered By: Snitz Forums 2000 Version 3.4.07