Security vulnerabilities!

[Stoker]

Security vulnerabilities!

On 02 feb 2010 we found out that bbcodes using {TEXT} inside the html tags was a serious security vulnerability.
Therefore I mass mailed all our members with a link to a post with more explanation.
That post is what you see below.

In the meantime a new token was introduced in 3.0.7, {INTTEXT} which is safe to use inside html tags where this is necessary.
We have also secured all bbcodes on this board, no longer using {TEXT} inside html tags.
So you are not to worry about getting insecure code here. I am just reposting because it is important information and for the fact that this issue is not informed well other places.

Hello,

I am very sorry to inform you that we may have been providing insecure code!
The problem is when {TEXT} is used in the html tags.
Just like this:

Code: Select all

<div style="{TEXT1}">{TEXT2}</div>

Instead of using {TEXT} we should use {SIMPLETEXT} or {IDENTIFIER}
Then it would be safe.

Please check all your bbcodes.

Sorry for the inconvenience.

[boardtalk.net]

What could happen if the {TEXT} was not taken out?

[Stoker]

It could cause a XSS vulnerability, try google it for more info.

[Fire-Fox]

So

Code: Select all

<code><font color="#3a9790">{TEXT}</font></code>

should be

Code: Select all

<code><font color="#3a9790">{INTTEXT}</font></code>

then it safe?

[Stoker]

No, thats not the case. Only when TEXT is used inside the html tag.
You can see an example in the Submit a bbcode forum rules which you aff course allready have read since you have submitted a bbcode

[boardtalk.net]

It could cause a XSS vulnerability, try google it for more info.

Thanks, just googled it... all I have to say is... ouch.

[Nully]

Hello,
do you mean, for example in the Youtube BBcode :

Code: Select all

src="http://www.youtube.com/v/{TEXT}"

we have to replace TEXT by INTTEXT ?

And here in the think BBcode :

Code: Select all

<table border="0" cellpadding="0" cellspacing="0"><tr><td style="margin: 0;padding: 0;border: 0;"><div style=" background-color: #ffffff;color: #000000; -moz-border-radius: 16px; -webkit-border-radius: 16px; border: 1px solid #000000; padding: 4px;font-size: 1em;" >&nbsp; {TEXT} &nbsp;</div><img src="images/stoker.gif"></td></tr></table>

[Stoker]

yes and no

[Nully]

Yes for the 1st and no for the 2nd ?
Please...tell me

[cisco007]

that is correct! what you asked for the youtube bbcode that is correct, for the think bbcode it is correct the way it is! since the {TEXT} is actually outside the html tags, it is actually in between the <div> so that is fine!