Snitz Forums 2000 - V3.3(.03) BUG+FIX: inc

Snitz Forums 2000

Username:	Password:
Save Password
Forgot your Password?

All Forums

Snitz Forums 2000 DEV-Group

DEV Bug Reports (Open)

V3.3(.03) BUG+FIX: inc_functions.asp

New Topic

Topic Locked

Printer Friendly

Author

Topic

Page: of 2

bWM
Starting Member

3 Posts

Posted - 30 March 2002 : 15:22:04

Hi folks!

I'm soo bored right now, why don't you write me a message?

info@badwebmasters.de" border=0>

Edited by - bWM on 30 March 2002 15:35:30

Rasco
Advanced Member

Germany
3192 Posts

Posted - 30 March 2002 : 17:23:42

Should I start up my mail-bombing program?

RichardKinser
Snitz Forums Admin

USA
16655 Posts

Posted - 30 March 2002 : 18:48:12

in your inc_functions.asp, in the ReplaceImageTags function find this section of code:

 					strUrlText = replace(strUrlText, """", "") ' ## filter out "
					'## Added to exclude Javascript and other potentially hazardous characters
					strUrlText = replace(strUrlText, "&", "", 1, -1, 1) ' ## filter out &
					strUrlText = replace(strUrlText, "#", "", 1, -1, 1) ' ## filter out #
					strUrlText = replace(strUrlText, ";", "", 1, -1, 1) ' ## filter out ;
					strUrlText = replace(strUrlText, "+", "", 1, -1, 1) ' ## filter out +
					strUrlText = replace(strUrlText, "(", "", 1, -1, 1) ' ## filter out (
					strUrlText = replace(strUrlText, ")", "", 1, -1, 1) ' ## filter out )
					strUrlText = replace(strUrlText, "[", "", 1, -1, 1) ' ## filter out [
					strUrlText = replace(strUrlText, "]", "", 1, -1, 1) ' ## filter out ]
					strUrlText = replace(strUrlText, "=", "", 1, -1, 1) ' ## filter out =
					strUrlText = replace(strUrlText, "*", "", 1, -1, 1) ' ## filter out *
					strUrlText = replace(strUrlText, "'", "", 1, -1, 1) ' ## filter out '
					strUrlText = replace(strUrlText, "javascript", "", 1, -1, 1) ' ## filter out javascript

add the following to that section:

					strUrlText = replace(strUrlText, "vbscript", "", 1, -1, 1) ' ## filter out vbscript
					strUrlText = replace(strUrlText, "mailto", "", 1, -1, 1) ' ## filter out mailto

bWM
Starting Member

3 Posts

Posted - 31 March 2002 : 10:22:10

@Rasco
Aber nur wenn du in Deutsch schreibst

@Richard Kinser
by the way....

strUrlText = replace(strUrlText, "vbscript", "", 1, -1, 1)
Over 80% are using IE, so don't forget to disable VBS!!

greetZ Ben

work mule
Senior Member

USA
1358 Posts

Posted - 01 April 2002 : 18:22:58

How about including the : character too?

RichardKinser
Snitz Forums Admin

USA
16655 Posts

Posted - 01 April 2002 : 20:22:03

because http:// would become http//

HuwR
Forum Admin

United Kingdom
20595 Posts

Posted - 02 April 2002 : 02:32:28

the other problem with that Richard is that ther arequite a few different ways of writing vbscript and jscript which would fool your replace function

RichardKinser
Snitz Forums Admin

USA
16655 Posts

Posted - 02 April 2002 : 02:40:34

can you give me some examples?

Nathan
Help Moderator

USA
7664 Posts

Posted - 02 April 2002 : 02:48:52

Do you mean like javascript:

Nathan Bales - Romans 15:13
----------------------------------
Snitz Exchange | Do's and Dont's

HuwR
Forum Admin

United Kingdom
20595 Posts

Posted - 02 April 2002 : 02:52:46

Yes, but I gues the rest of the function will filter the & and # I gues, so it wouldn't matter

RichardKinser
Snitz Forums Admin

USA
16655 Posts

Posted - 02 April 2002 : 02:57:11

Yep, that's why those characters were included.

javascript: would become: javascrx69pt:

Nathan
Help Moderator

USA
7664 Posts

Posted - 02 April 2002 : 03:08:19

Instead of filtering out those other characters, why not just convert them into their HTML entities. For example & would be converted to &#38.

Then when someone tried to put in javascript: It would become javascr&#38#x69;pt: which to the browser would just be javascript: instead of javascript:

Nathan Bales - Romans 15:13
----------------------------------
Snitz Exchange | Do's and Dont's

Edited by - Nathan on 02 April 2002 03:10:24

Edited by - Nathan on 02 April 2002 03:10:59

joatham
Junior Member

United Kingdom
169 Posts

Posted - 11 April 2002 : 06:20:45

quote:

in your inc_functions.asp, in the ReplaceImageTags function find this section of code:

strUrlText = replace(strUrlText, """", "") ' ## filter out "
'## Added to exclude Javascript and other potentially hazardous characters
{snip}

add the following to that section:

strUrlText = replace(strUrlText, "vbscript", "", 1, -1, 1) ' ## filter out vbscript
strUrlText = replace(strUrlText, "mailto", "", 1, -1, 1) ' ## filter out mailto

I haven't got any code like that in ReplaceImageTags function in inc_functions.asp with version 3.3.03, is this for Snitz v4?

John

RichardKinser
Snitz Forums Admin

USA
16655 Posts

Posted - 11 April 2002 : 16:34:45

did you not install this update:

http://forum.snitz.com/forum/topic.asp?TOPIC_ID=23660

joatham
Junior Member

United Kingdom
169 Posts

Posted - 14 April 2002 : 13:31:31

quote:

did you not install this update:

http://forum.snitz.com/forum/topic.asp?TOPIC_ID=23660

Ahh, no. Thanks for that, I will install it (and the changes) now.

John

For more snitz mods and information, see the Cosmic Cat Snitz Mods Homepage

roberty
Starting Member

7 Posts

Posted - 09 May 2002 : 07:46:13

Hi,

My forum has been hacked ......

Can I just apply the security patches, do a database roll back ........

How can I go about fixing it ..... Thanks ....

Page: of 2

Topic

New Topic

Topic Locked

Printer Friendly

Jump To:

Snitz Forums 2000

This page was generated in 0.11 seconds.