Page 188 of 267

Re: Custom BBCodes

Posted: Thu Jul 22, 2010 1:09 pm
by updown
Noxwizard wrote:Because you can break out of any tag that uses {TEXT} and create an XSS vulnerability.
Thanks, I know the basics. But HOW is it even possible to break-out the tag when all special-chars are html-encoded?

Re: Custom BBCodes

Posted: Thu Jul 22, 2010 3:09 pm
by coxie
Can anyone help me with a code to embed sopcast player, its a peer to peer application which streams tv channels. It is possible I am just useless with bbcode i do understand it better now and managed to add a justin tv code ok.

Re: Custom BBCodes

Posted: Thu Jul 22, 2010 4:01 pm
by Noxwizard
updown wrote:
Noxwizard wrote:Because you can break out of any tag that uses {TEXT} and create an XSS vulnerability.
Thanks, I know the basics. But HOW is it even possible to break-out the tag when all special-chars are html-encoded?
They aren't all encoded.

Re: Custom BBCodes

Posted: Thu Jul 22, 2010 4:03 pm
by leviatan21
coxie wrote:Can anyone help me with a code to embed sopcast player, its a peer to peer application which streams tv channels. It is possible I am just useless with bbcode i do understand it better now and managed to add a justin tv code ok.
You have2 options :
1) using flash :

Code: Select all

[flash=400,300]http://www.justin.tv/widgets/live_embed_player.swf?channel=kastus1005[/flash]
2) Create a custom bbcode :
BBCode usage

Code: Select all

[justintv]http://justin.tv/{SIMPLETEXT}[/justintv]
HTML replacement

Code: Select all

<object type="application/x-shockwave-flash" height="300" width="400" data="http://www.justin.tv/widgets/live_embed_player.swf?channel={SIMPLETEXT}"><param name="allowFullScreen" value="true" /><param name="allowScriptAccess" value="always" /><param name="allowNetworking" value="all" /><param name="movie" value="http://www.justin.tv/widgets/live_embed_player.swf" /><param name="flashvars" value="channel={SIMPLETEXT}&auto_play=false&start_volume=25" /></object>
Example :

Code: Select all

[justintv]http://justin.tv/kastus1005[/justintv]

Re: Custom BBCodes

Posted: Thu Jul 22, 2010 4:35 pm
by coxie
leviatan thanks but I have already done Justin tv and that works fine, I need to make a custom bbcode for sopcast so I can embed that, sopcast is a different application and isn't flash

Re: Custom BBCodes

Posted: Thu Jul 22, 2010 4:37 pm
by leviatan21
coxie wrote:leviatan thanks but I have already done Justin tv and that works fine, I need to make a custom bbcode for sopcast so I can embed that, sopcast is a different application and isn't flash
Sorry I didn't understand your post, unfortunately I can't help you on this, sopcast is not available on my country :oops:

Re: Custom BBCodes

Posted: Thu Jul 22, 2010 5:25 pm
by coxie
Thanks anyway maybe someone else will be able to help cos if you guys here can't help then what chance does a noob like me have lol

Re: Custom BBCodes

Posted: Fri Jul 23, 2010 8:35 am
by updown
Noxwizard wrote:
updown wrote:
Noxwizard wrote:Because you can break out of any tag that uses {TEXT} and create an XSS vulnerability.
Thanks, I know the basics. But HOW is it even possible to break-out the tag when all special-chars are html-encoded?
They aren't all encoded.
All possible XSS-entries that I've tested doesn't work! Obviously there might be vectors I'm not aware of, or that is just a "precaution" with a "theoretical"vulnerability. Have you or an other team-member already managed to include XSS-code in such URL-attribute-environments with {TEXT}?

Re: Custom BBCodes

Posted: Fri Jul 23, 2010 11:13 pm
by Pony99CA
updown wrote:All possible XSS-entries that I've tested doesn't work! Obviously there might be vectors I'm not aware of, or that is just a "precaution" with a "theoretical"vulnerability. Have you or an other team-member already managed to include XSS-code in such URL-attribute-environments with {TEXT}?
I wondered the same thing. I created the following BBCode on my test board:

BBCode usage

Code: Select all

[xss={TEXT1}]{TEXT2}[/xss]
HTML replacement

Code: Select all

<span style="{TEXT1}">{TEXT2}</span>
I then tried the following text:

Code: Select all

Testing Text Security Risk:

[xss=text-decoration: underline;]Hi![/xss]

[xss=color: red;" onMouseDown="alert('You clicked the text!')]Hi![/xss]
The first line displayed underlined text (as expected). The second line displayed red text (as expected) but did not respond to mouse clicks.

I too would be interested in seeing a real example that allowed XSS.

Steve

P.S. Why am I getting Flash 10 security errors when previewing this post?
Error #2044: Unhandled SecurityErrorEvent:. text=Error #2048: Security sandbox violation: http://g4tv.com/assets/flash/videos/vpl ... 3d12829243 cannot load data from http://ad.doubleclick.net/879366/DartSh ... eclick.net.

Re: Custom BBCodes

Posted: Sat Jul 24, 2010 9:38 am
by Mark1200
I looking for a BBCode:
[news]{TEXT}[/news]
HTML: Don't have!

With the code must you avible to post in this Image image!

~ Mark1200

Re: Custom BBCodes

Posted: Sat Jul 24, 2010 10:44 am
by ric323
Mark1200 wrote:I looking for a BBCode:
[news]{TEXT}[/news]
HTML: Don't have!

With the code must you avible to post in this ... image!

~ Mark1200
That image is huge, and not visible unless you browse directly to the website it is hosted on first, so they are running some sort of hotlink protection.
Do you mean you want some text to appear in a box with a custom background image?

Re: Custom BBCodes

Posted: Sat Jul 24, 2010 7:08 pm
by Mark1200
ric323 wrote:
Mark1200 wrote:I looking for a BBCode:
[news]{TEXT}[/news]
HTML: Don't have!

With the code must you avible to post in this ... image!

~ Mark1200
That image is huge, and not visible unless you browse directly to the website it is hosted on first, so they are running some sort of hotlink protection.
Do you mean you want some text to appear in a box with a custom background image?
Yes that i mean!

~ Mark1200

Re: Custom BBCodes

Posted: Sun Jul 25, 2010 1:56 pm
by updown
updown wrote:I have the same problem whenever I need to pass a specific attribute into an URL, where full TEXT support is necessary. Example:

Code: Select all

<a href="http://myurlxxxx.com/index.php?q={TEXT}">...</a>
Is there a documentation or an example anywhere that helps judging the risk of an XSS-vulnerability within these kind of tags in phpBB? Since special-chars like > , & or " are beeing html-encoded, I've no clue where exactly the problem is. (I found nothing concrete about this by searching intensively).
Pony99CA wrote:I wondered the same thing.
Please, supporters, bring us some light and wisdom with HELPFUL explanations! That's a question a lot of people have asked allover the board, and yet no real answer at all :roll:

Re: Custom BBCodes

Posted: Sun Jul 25, 2010 6:07 pm
by Noxwizard
Yes we've tested it. That is why the BBCode token legend in the ACP tells you not to use {TEXT} inside of HTML tags. There's even a warning screen if you do try to use it in an insecure manner.

Re: Custom BBCodes

Posted: Sun Jul 25, 2010 6:41 pm
by Pony99CA
Noxwizard wrote:Yes we've tested it. That is why the BBCode token legend in the ACP tells you not to use {TEXT} inside of HTML tags. There's even a warning screen if you do try to use it in an insecure manner.
We know that there's a warning in both the help text and when you try to use it. What we're curious about is an actual example of a BBCode (and a use of that BBCode) that would cause an XSS -- something like the example that I posted. The tests that I've run show that "dangerous" characters are replaced with HTML entities and don't allow XSS.

Maybe I'm not crafty enough to get around that, so we want to see proof that it's a real problem, not a theoretical vulnerability. In other words, if something like:

Code: Select all

[b]{TEXT}[/b]
properly handles attempts between start and end tags to include HTML in the {TEXT}, why wouldn't it properly handle similar things inside an HTML tag or attribute?

Steve