Sub Menu
Links Menu
Online Users

In total there are 313 users online :: 3 registered, 0 hidden and 310 guests

Most users ever online was 1091 on Wed Aug 16, 2023 5:27 pm

Registered users: Bing [Bot], Google [Bot], Majestic-12 [Bot] based on users active over the past 60 minutes

[Beta] Java in post fix!

This is where youll find security related information.
Discuss Integramod/phpbb security issues here.

Moderator: Integra Moderator

[Beta] Java in post fix!

PostAuthor: Michaelo » Fri Oct 06, 2006 10:32 am

It's simply is not a good idea to allow java scripts in post (and sigs), it will leave you open to hacking and can screw up your posts...

Fix:
Code: Select all
   Open]*Java script is not allowed in posts[/color]',$lookfor,$message);         $lookfor = "</script>";         $message = str_replace('[color=red]Java script is not allowed in posts*[/color]',$lookfor,$message);  Open]*Java script is not allowed in posts[/color]',$message);         $lookfor = "</script>";         $message = str_replace($lookfor,'[color=red]Java script is not allowed in posts*[/color]',$message);        


This will replace the java tags with this message (Java script is not allowed in posts) in the post and also disable the script...

Mike

PS if you install this fix post your results here, needs testing before inclusion with 1.4.1 Beta...
Last edited by Michaelo on Fri Oct 06, 2006 10:50 am, edited 1 time in total.
Kiss Portal Engine phpbbireland (status: Released)
User avatar
Michaelo
Administrator
Administrator
 
Posts: 1646
Likes: 0 post
Liked in: 0 post
Joined: Sat Mar 11, 2006 5:14 pm
Cash on hand: 0.00
Location: Dublin, Ireland

Re: Java in post

PostAuthor: Dragonsys » Fri Oct 06, 2006 10:37 am

I like this. I'll have to test it out on my site. I like how it gives a warning, instead of just messing up the look of the page.
Last edited by Dragonsys on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
Image
User avatar
Dragonsys
Sr Integra Member
Sr Integra Member
 
Posts: 326
Likes: 0 post
Liked in: 0 post
Joined: Mon Apr 10, 2006 6:45 am
Cash on hand: 0.00
Location: Springtown, TX

Re: [Beta] Java in post fix!

PostAuthor: Dragonsys » Mon Oct 16, 2006 7:51 am

It doesn't seem to work.
See here - http://beta.dragonsys.org/im_test/viewtopic.php?p=52
I have made the changes above on that site.
Last edited by Dragonsys on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
Image
User avatar
Dragonsys
Sr Integra Member
Sr Integra Member
 
Posts: 326
Likes: 0 post
Liked in: 0 post
Joined: Mon Apr 10, 2006 6:45 am
Cash on hand: 0.00
Location: Springtown, TX

PostAuthor: Michaelo » Mon Oct 16, 2006 2:29 pm

It is working... you will see in both posts 'Java script is not allowed in posts*

The closing java script tag is replaced by the text above... so the java can't execute...
Mike'
Last edited by Michaelo on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
Kiss Portal Engine phpbbireland (status: Released)
User avatar
Michaelo
Administrator
Administrator
 
Posts: 1646
Likes: 0 post
Liked in: 0 post
Joined: Sat Mar 11, 2006 5:14 pm
Cash on hand: 0.00
Location: Dublin, Ireland

PostAuthor: Dragonsys » Mon Oct 16, 2006 4:22 pm

"Michaelo";p="16694" wrote:It is working... you will see in both posts 'Java script is not allowed in posts*

The closing java script tag is replaced by the text above... so the java can't execute...
Mike'


doh! guess I didn't look hard enough
Last edited by Dragonsys on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
Image
User avatar
Dragonsys
Sr Integra Member
Sr Integra Member
 
Posts: 326
Likes: 0 post
Liked in: 0 post
Joined: Mon Apr 10, 2006 6:45 am
Cash on hand: 0.00
Location: Springtown, TX

Re: [Beta] Java in post fix!

PostAuthor: Michaelo » Mon Oct 16, 2006 11:57 pm

No worries... <img>
Last edited by Michaelo on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
Kiss Portal Engine phpbbireland (status: Released)
User avatar
Michaelo
Administrator
Administrator
 
Posts: 1646
Likes: 0 post
Liked in: 0 post
Joined: Sat Mar 11, 2006 5:14 pm
Cash on hand: 0.00
Location: Dublin, Ireland

Re: [Beta] Java in post fix!

PostAuthor: Dragonsys » Mon Nov 06, 2006 6:07 am

I made a slight change to this. The Message was not showing up in red for me, so I changed the following:

OPEN posting.php
FIND:
Code: Select all
[color=red]

REPLACE WITH][color=red][/code]
OPEN includes/functions_post.php
FIND][color=red][/code]
REPLACE WITH][color=red][/code]

This works for me <img>
Thank you Michaelo
Last edited by Dragonsys on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
Image
User avatar
Dragonsys
Sr Integra Member
Sr Integra Member
 
Posts: 326
Likes: 0 post
Liked in: 0 post
Joined: Mon Apr 10, 2006 6:45 am
Cash on hand: 0.00
Location: Springtown, TX

PostAuthor: Michaelo » Mon Nov 06, 2006 9:42 am

Dragonsys... your post did not display properly... <img>
We are working on some alternatives but the current one seems to cause the least amount of complication...
Last edited by Michaelo on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
Kiss Portal Engine phpbbireland (status: Released)
User avatar
Michaelo
Administrator
Administrator
 
Posts: 1646
Likes: 0 post
Liked in: 0 post
Joined: Sat Mar 11, 2006 5:14 pm
Cash on hand: 0.00
Location: Dublin, Ireland

Re: [Beta] Java in post fix!

PostAuthor: evolver » Mon Nov 06, 2006 4:14 pm

TIP:
Change the numbers in the color tags to $bbcode_uid
Like [color=red:92f6012507] to [color=red:$bbcode_uid]
These numbers are supposed to be unique for each post...

EDIT:
Also change the ' to " for these, otherwise it will not read $bbcode_uid as a string...

OK, here's the same code, corrected:

Code: Select all
Open]*Java script is not allowed in posts[/color]",$lookfor,$message);       $lookfor = "&lt;/script&gt;";       $message = str_replace("[color=red]Java script is not allowed in posts*[/color]",$lookfor,$message);  Open: functions_post.php  Find:      else    {       $message = preg_replace($html_entities_match, $html_entities_replace, $message);    }  After Add:         $lookfor = "&lt;script&gt;";       $message = str_replace($lookfor,"[color=red]*Java script is not allowed in posts[/color]",$message);       $lookfor = "&lt;/script&gt;";       $message = str_replace($lookfor,"[color=red]Java script is not allowed in posts*[/color]",$message);  
Last edited by evolver on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
ImageAlways remember you're unique, just like everyone else.
We are born naked, wet and hungry. Then things get worse.
Don't take life too seriously, you won't get out alive.
User avatar
evolver
Sr Integra Member
Sr Integra Member
 
Posts: 420
Likes: 0 post
Liked in: 0 post
Joined: Mon Mar 27, 2006 12:46 pm
Cash on hand: 0.00
Location: Oostende

PostAuthor: Michaelo » Mon Nov 06, 2006 8:10 pm

This code has been superseded, will post new fix later... only a minor security update....
Last edited by Michaelo on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
Kiss Portal Engine phpbbireland (status: Released)
User avatar
Michaelo
Administrator
Administrator
 
Posts: 1646
Likes: 0 post
Liked in: 0 post
Joined: Sat Mar 11, 2006 5:14 pm
Cash on hand: 0.00
Location: Dublin, Ireland


Return to Forum Security

Who is online

Registered users: Bing [Bot], Google [Bot], Majestic-12 [Bot]