Snitz Forums 2000 - security hole (alleged)

Snitz Forums 2000

Username:	Password:
Save Password
Forgot your Password?

All Forums

Snitz Forums 2000 DEV-Group

DEV Bug Reports (Open)

security hole (alleged)

New Topic

Topic Locked

Printer Friendly

Author

Topic

Page: of 2

frog-man
Starting Member

2 Posts

Posted - 03 May 2002 : 09:25:41

look at it :

it is : javajavascriptscript

And vbscvbscriptipt

frog

RichardKinser
Snitz Forums Admin

USA
16655 Posts

Posted - 03 May 2002 : 15:40:26

so you were able to get it to display the word "javascript", what good would that do with all of the other characters that we filter out? You aren't showing us anything that we didn't already know.

RichardKinser
Snitz Forums Admin

USA
16655 Posts

Posted - 03 May 2002 : 16:00:58

though I really don't see this as a security hole (though I may be wrong), making the following change should take care of this:

in the inc_functions.asp file in the ReplaceImageTags function find the following:

strUrlText = replace(strUrlText, "javascript", "", 1, -1, 1) ' ## filter out javascript
strUrlText = replace(strUrlText, "vbscript", "", 1, -1, 1) ' ## filter out vbscript
strUrlText = replace(strUrlText, "mailto", "", 1, -1, 1) ' ## filter out mailto

and change it to this: (see post immediately below this one)

do while (instr(lcase(strUrlText),"javascript") > 0)
strUrlText = replace(strUrlText, "javascript", "", 1, -1, 1) ' ## filter out javascript
loop
do while (instr(lcase(strUrlText),"vbscript") > 0)
strUrlText = replace(strUrlText, "vbscript", "", 1, -1, 1) ' ## filter out vbscript
loop
do while (instr(lcase(strUrlText),"mailto") > 0)
strUrlText = replace(strUrlText, "mailto", "", 1, -1, 1) ' ## filter out mailto
loop

RichardKinser
Snitz Forums Admin

USA
16655 Posts

Posted - 03 May 2002 : 17:45:10

replace the code with this instead of what I posted above:

do while (instr(lcase(strUrlText),"javascript") > 0) or (instr(lcase(strUrlText),"vbscript") > 0) or (instr(lcase(strUrlText),"mailto") > 0)
	strUrlText = replace(strUrlText, "javascript", "", 1, -1, 1) ' ## filter out javascript
	strUrlText = replace(strUrlText, "vbscript", "", 1, -1, 1) ' ## filter out vbscript
	strUrlText = replace(strUrlText, "mailto", "", 1, -1, 1) ' ## filter out mailto
loop

Xstream-PT
Starting Member

45 Posts

Posted - 07 May 2002 : 22:50:30

so should it look like this:

	strUrlText = replace(strUrlText, "*", "", 1, -1, 1) ' ## filter out *
	strUrlText = replace(strUrlText, "'", "", 1, -1, 1) ' ## filter out '
	'strUrlText = replace(strUrlText, "javascript", "", 1, -1, 1) ' ## filter out javascript
	'## End Added
 	strUrlText = replace(strUrlText, "<", "") ' ## filter out <
        strUrlText = replace(strUrlText, ">", "") ' ## filter out >
 do while (instr(lcase(strUrlText),"javascript") > 0) or (instr(lcase(strUrlText),"vbscript") > 0) or (instr(lcase(strUrlText),"mailto") > 0)	
 	strUrlText = replace(strUrlText, "javascript", "", 1, -1, 1) ' ## filter out javascript	
 	strUrlText = replace(strUrlText, "vbscript", "", 1, -1, 1) ' ## filter out vbscript	
 	strUrlText = replace(strUrlText, "mailto", "", 1, -1, 1) ' ## filter out mailto
 	loop
 	strResultString = strResultString & roTag & strUrlText & rcTag & strArray2(1)
 else
 	strResultString = strResultString & strArray(counter2)
 end if	
 next

Davio
Development Team Member

Jamaica
12217 Posts

Posted - 08 May 2002 : 00:34:01

Yep.

«------------------------------------------------------»
Want to know when the next version comes out,
as soon as possible? Join our Mailing Lists !

acemi
Starting Member

16 Posts

Posted - 08 May 2002 : 17:24:52

I think instead of filter out the potentially hazardous characters, it will be better replace them with 1 blank character.

strUrlText = replace(strUrlText, "<", "")

will be

strUrlText = replace(strUrlText, "<", " ")

Because

%mailto60 will be <

if mailto is filtered out

RichardKinser
Snitz Forums Admin

USA
16655 Posts

Posted - 09 May 2002 : 00:59:00

We can just filter out the percent sign as well (%)

just add this:

strUrlText = replace(strUrlText, "%", "", 1, -1, 1) ' ## filter out %

right after this:

strUrlText = replace(strUrlText, "'", "", 1, -1, 1) ' ## filter out '

acemi
Starting Member

16 Posts

Posted - 09 May 2002 : 03:44:36

If someone find another way to use escape character without using % ...?

RichardKinser
Snitz Forums Admin

USA
16655 Posts

Posted - 09 May 2002 : 03:53:14

ok, so we'll change this:

strUrlText = replace(strUrlText, """", "") ' ## filter out "
'## Added to exclude Javascript and other potentially hazardous characters
strUrlText = replace(strUrlText, "&", "", 1, -1, 1) ' ## filter out &
strUrlText = replace(strUrlText, "#", "", 1, -1, 1) ' ## filter out #
strUrlText = replace(strUrlText, ";", "", 1, -1, 1) ' ## filter out ;
strUrlText = replace(strUrlText, "+", "", 1, -1, 1) ' ## filter out +
strUrlText = replace(strUrlText, "(", "", 1, -1, 1) ' ## filter out (
strUrlText = replace(strUrlText, ")", "", 1, -1, 1) ' ## filter out )
strUrlText = replace(strUrlText, "[", "", 1, -1, 1) ' ## filter out [
strUrlText = replace(strUrlText, "]", "", 1, -1, 1) ' ## filter out ]
strUrlText = replace(strUrlText, "=", "", 1, -1, 1) ' ## filter out =
strUrlText = replace(strUrlText, "*", "", 1, -1, 1) ' ## filter out *
strUrlText = replace(strUrlText, "'", "", 1, -1, 1) ' ## filter out '
do while (instr(lcase(strUrlText),"javascript") > 0) or (instr(lcase(strUrlText),"vbscript") > 0) or (instr(lcase(strUrlText),"mailto") > 0)
	strUrlText = replace(strUrlText, "javascript", "", 1, -1, 1) ' ## filter out javascript
	strUrlText = replace(strUrlText, "vbscript", "", 1, -1, 1) ' ## filter out vbscript
	strUrlText = replace(strUrlText, "mailto", "", 1, -1, 1) ' ## filter out mailto
loop
'## End Added
strUrlText = replace(strUrlText, "<", "") ' ## filter out <
strUrlText = replace(strUrlText, ">", "") ' ## filter out >

to this:

strUrlText = replace(strUrlText, """", " ") ' ## filter out "
'## Added to exclude Javascript and other potentially hazardous characters
strUrlText = replace(strUrlText, "&", " ", 1, -1, 1) ' ## filter out &
strUrlText = replace(strUrlText, "#", " ", 1, -1, 1) ' ## filter out #
strUrlText = replace(strUrlText, ";", " ", 1, -1, 1) ' ## filter out ;
strUrlText = replace(strUrlText, "+", " ", 1, -1, 1) ' ## filter out +
strUrlText = replace(strUrlText, "(", " ", 1, -1, 1) ' ## filter out (
strUrlText = replace(strUrlText, ")", " ", 1, -1, 1) ' ## filter out )
strUrlText = replace(strUrlText, "[", " ", 1, -1, 1) ' ## filter out [
strUrlText = replace(strUrlText, "]", " ", 1, -1, 1) ' ## filter out ]
strUrlText = replace(strUrlText, "=", " ", 1, -1, 1) ' ## filter out =
strUrlText = replace(strUrlText, "*", " ", 1, -1, 1) ' ## filter out *
strUrlText = replace(strUrlText, "'", " ", 1, -1, 1) ' ## filter out '
strUrlText = replace(strUrlText, "javascript", " ", 1, -1, 1) ' ## filter out javascript
strUrlText = replace(strUrlText, "vbscript", " ", 1, -1, 1) ' ## filter out vbscript
strUrlText = replace(strUrlText, "mailto", " ", 1, -1, 1) ' ## filter out mailto
'## End Added
strUrlText = replace(strUrlText, "<", " ") ' ## filter out <
strUrlText = replace(strUrlText, ">", " ") ' ## filter out >

acemi
Starting Member

16 Posts

Posted - 09 May 2002 : 06:37:31

Filter out the character % causes some characters (such as blank or non-english characters) can not be use in the URL.

James
Average Member

USA
539 Posts

Posted - 09 May 2002 : 23:12:04

quote:

do while (instr(lcase(strUrlText),"javascript") > 0) or (instr(lcase(strUrlText),"vbscript") > 0) or (instr(lcase(strUrlText),"mailto") > 0)
	strUrlText = replace(strUrlText, "javascript", " ", 1, -1, 1) ' ## filter out javascript
	strUrlText = replace(strUrlText, "vbscript", " ", 1, -1, 1) ' ## filter out vbscript
	strUrlText = replace(strUrlText, "mailto", " ", 1, -1, 1) ' ## filter out mailto
loop
'## End Added

With the change to adding a blank space for filtered characters, do we really need the do-while-loop now?

-
*Interested in Radio Control*
*The RC Web Board - http://www.rcwebboard.com/*

RichardKinser
Snitz Forums Admin

USA
16655 Posts

Posted - 10 May 2002 : 00:04:46

No, I had already taken it out, just forgot to update the post above. (It has now been updated)

I took out the filter for the percent sign too (%)

LC
New Member

Brazil
70 Posts

Posted - 11 May 2002 : 20:15:29

Ok...

where's the fix?

Cause for what I saw here, one would have to dramatically impair the forum just to be safe...

I'm kinda newly introduced to Snitz, but security issues seem to be huge with this app.
And following the links for the fixes, I see fixes for the fixes for the fixes, with someone saying this and another saying that and yet another agreeing with the first whom changed his first approach and so on.

Where are the fixes' "final" version or at least, the consensus ones?

Kudos,

LC

THE NET CENTINELL
Starting Member

Argentina
5 Posts

Posted - 13 May 2002 : 00:07:05

THE REPLACE FUNCTION DOES NOT WORK TOO PROPERLY OR WHAT? IN MY SNITZ FORUMS I CANNOT EDIT PROFILES OR REGISTER NEW USERS...
IT GIVES ME ERRORS IN THE REPLACE FUNCTION

HELP ME PLEASE

RichardKinser
Snitz Forums Admin

USA
16655 Posts

Posted - 13 May 2002 : 02:36:42

I updated the download file, so you can just re-download it and use the inc_functions.asp file from it.

http://forum.snitz.com/download.asp

Page: of 2

Topic

New Topic

Topic Locked

Printer Friendly

Jump To:

Snitz Forums 2000

This page was generated in 0.19 seconds.