Custom BBCodes [Deprecated]

Post by **Noxwizard** » Sun Jul 25, 2010 10:33 pm

You may have noticed that we try to remove or update vulnerable bbcodes as we see them. We are not in the habit of posting exploitable code, much less posting a means to exploit other boards; which is what you're wanting posted.

As for the bbcode you posted, having that TEXT field there is bad enough, having it in a style attribute is even worse.

If you're really wanting to know, then the only thing I can suggest for you is to do some research on it. Sites like OWASP and CGISecurity would be a good place to start.

If you want basic guidelines beyond what the legend says, then here are a few off the top of my head:

Don't use TEXT inside of HTML tags
Don't pass a URL straight into an iframe, object, embed, etc...
If you need the above, restrict the URL to a specific site and use the remaining tokens. For the latter two, be sure to set the parameters appropriately.

therp · Post by **therp** » Mon Jul 26, 2010 1:59 am

Hi. This is a very useful thread. 189 pages makes it hard to follow though

I'm not sure if that was addressed, or if it's doable, but Is there a BBCode to display a certain text? For example, is there a BBcode to make a button that when clicked would display a pre-set phrase, like "hello all" for example?

Thanks a lot.

tbackoff · Post by **tbackoff** » Mon Jul 26, 2010 3:05 am

BBCode usage:

Code: Select all

[phrase][/phrase]

HTML Replacement:

Code: Select all

<span>Hello World</span>

Replace "Hello World" with your text.

therp · Post by **therp** » Mon Jul 26, 2010 7:27 am

t_backoff wrote:BBCode usage:
Code: Select all
[phrase][/phrase]
HTML Replacement:
Code: Select all
<span>Hello World</span>
Replace "Hello World" with your text.

Thanks a lot t_backoff. This works nicely. I just have a couple of questions though. Is there a way to display an image on the button instead of showing "Phrase"? The second would be, when pressed during editing time, this bbcode shows as [phrase][/phrase], which might get ppl wondering what they should put in between. Is there a way to get the code to show only one, or maybe put the "Hello world" on the spot in the editor?

Again, thanks a lot for your support.

ric323 · Post by **ric323** » Mon Jul 26, 2010 8:43 am

therp wrote: Is there a way to display an image on the button instead of showing "Phrase"?

Yes, you just need to add appropriate HTML to display an image.

The second would be, when pressed during editing time, this bbcode shows as [phrase][/phrase], which might get ppl wondering what they should put in between. Is there a way to get the code to show only one, or maybe put the "Hello world" on the spot in the editor?

No. That is how bbcodes work

Rather than asking for bits and pieces, why don't you actually explain what you are trying to do?

AmigoJack · Post by **AmigoJack** » Mon Jul 26, 2010 9:48 am

Pony99CA wrote:if something like:
Code: Select all
[b]{TEXT}[/b]
properly handles attempts between start and end tags to include HTML in the {TEXT}, why wouldn't it properly handle similar things inside an HTML tag or attribute?

Because it's a difference if we have to deal with a random text inside of a HTML-tag

Code: Select all

<a href="javascript:alert('hi');">foo</a>

or with a random text outside of the HTML-tag (which is the tag's value/content)

Code: Select all

<a href="#">javascript:alert('hi');</a>

The warning is not theoretically, since it simply does not know if there might be a user lame enough considering a BBcode replacement like

Code: Select all

<a onmouseover="{TEXT1}">{TEXT2}</a>

because this would definitly allow execution of (at least) javascript.

updown · Post by **updown** » Mon Jul 26, 2010 10:10 am

Noxwizard wrote:If you're really wanting to know, then the only thing I can suggest for you is to do some research on it. Sites like OWASP and CGISecurity would be a good place to start.

Thanks! I understand your general position and the security-policy of phpBB.com. The problem is, that I HAVE TO use {TEXT} inside BBCode-Tags - there is no way around. Also, I have to use direct URLs with iframe etc, as you have pointed out. All my research came to known XSS-Entries referenced to http://ha.ckers.org/xss.html - which are all NOT possible within the phpBB-environment with {TEXT} or {URL}. Either with encryption or other encoding tricks I've read about.

Now I am a sitting duck. I MUST use these "insecure" BBCodes, with no idea WHERE the risk is. I have no possibilities to filter input individually when I get no advice what to look for.

So again, PLEASE, give me advice WHERE the problem is here

AmigoJack wrote:The warning is not theoretically, since it simply does not know if there might be a user lame enough considering a BBcode replacement like
Code: Select all
<a onmouseover="{TEXT1}">{TEXT2}</a>
because this would definitly allow execution of (at least) javascript.

That is clear - I totally agree that this case IS a problem. But I can't see any problem here, although it is pointed out from the supporters that this IS a problem:

Code: Select all

<a href="http://myurlxxxx.com/index.php?q={TEXT}">...</a>

Pony99CA · Post by **Pony99CA** » Tue Jul 27, 2010 10:24 am

AmigoJack wrote:
Pony99CA wrote:if something like:
Code: Select all
[b]{TEXT}[/b]
properly handles attempts between start and end tags to include HTML in the {TEXT}, why wouldn't it properly handle similar things inside an HTML tag or attribute?
Because it's a difference if we have to deal with a random text inside of a HTML-tag
Code: Select all
<a href="javascript:alert('hi');">foo</a>
or with a random text outside of the HTML-tag (which is the tag's value/content)
Code: Select all
<a href="#">javascript:alert('hi');</a>

Yes, I know that the parsing is different, but it's not "random" text. The text contains "javascript:" in it. Why can't phpBB call a "sanitize" function on {TEXT} used inside HTML tags? Is sanitizing a string that difficult? It's done to prevent SQL injection and HTML injection in phpBB already.

Alternatively, if you want to allow that, require specifying a group that is allowed to use custom BBCodes. Most BBCodes could be used by Registered Users, but maybe some would only be available to Administrators.

AmigoJack wrote:The warning is not theoretically, since it simply does not know if there might be a user lame enough considering a BBcode replacement like
Code: Select all
<a onmouseover="{TEXT1}">{TEXT2}</a>
because this would definitly allow execution of (at least) javascript.

That's true. I've written an XSS demonstration post at my site (it doesn't really allow XSS; it just shows how it could be done).

Steve

spacemonkiee · Post by **spacemonkiee** » Tue Jul 27, 2010 6:07 pm

Does anyone know the BBCode to embed a video clip from http://video.msn.com? I've searched the thread but haven't been able to find anything that can help.

Its for the clip: http://video.msn.com/?mkt=en-US&from=sp ... b450462d2f

If that helps.

updown · Post by **updown** » Tue Jul 27, 2010 7:31 pm

Pony99CA wrote:Why can't phpBB call a "sanitize" function on {TEXT} used inside HTML tags? Is sanitizing a string that difficult? It's done to prevent SQL injection and HTML injection in phpBB already.

I understand that XSS is not ever that simple as in these examples. There are a lot of known and still unknown vectors for breaking-up tags or injecting code otherwise, so an "ultimate" function for sanitizing code is never as good as a total warning (concerning different browser-types also complicates this).

BUT: There should be some support to help skilled admins for writing their own routines if they know what they do. The actual (dis-)information in the name of security is crap. BBCode has been invented to allow secure inputs on userside. Many BBCodes can't be used without {TEXT}, but we are told to limit this down. WHY? Because we are told to do so. What can we do about in special cases? Nothing or ignoring. Can we ignore it without knowing where the risk is? Not a good idea. Does anybody tell us where the risk is? No. Come on guys, you call this "support"? Either tell us straight what we can do alternatively, or make BBCode practical as it is meant to be. This general "You just have to believe us, since we don't give you information about possible leaks, it could be used to inject code"-policy is so totally absurd and irresponsible. I really feel pissed by this bunch of ignorance

AmigoJack · Post by **AmigoJack** » Tue Jul 27, 2010 7:56 pm

updown wrote:[...] to help skilled admins for writing their own routines if they know what they do [...]

So where's the problem? I would code my own token and run its text through a regexp pattern. Done. Or is extending phpBB beyond "skilled admins" already?

You also explained it by yourself: you cannot think of any possible intrusion. This blacklist-thinking only helps you against known holes. Strictly spoken you don't even need to know any example exploit. Think whitelist. Only allow what you know.

Showing an exploit here helps ...I might say... a handful of people. Because they're able to comprehend and write code against this. The majority of people only use phpBB (even without understanding the very basics sometimes - see the questions being opened here every day). An uncountable amount of guests sees the exploit and copies it to use it for their own advantage.

I'd publish an exploit, since I tend to say "if people don't care about the details while using something it's their own fault (aka knowledge is power)". But this is only my point of view. If the phpBB support team does not want to publish any explicit example it's their decision.

updown · Post by **updown** » Tue Jul 27, 2010 8:48 pm

AmigoJack wrote:
updown wrote:[...] to help skilled admins for writing their own routines if they know what they do [...]
So where's the problem? I would code my own token and run its text through a regexp pattern. Done. Or is extending phpBB beyond "skilled admins" already?

Of course, my boards are heavily modded with more than 200 homebrewn changes (+150 personally extended MODs and extensions not counted), tunings and optimizations, I know phpBB like my jacket and I'm aware of nearly every function and its purpose. But I am no XSS or CSRF specialist, here I need support. To run a regex is simple, but you have to know what expression to look for!

Summary: ALL possible XSS-entries that I've found DO NOT WORK within phpBB on constructions like

Code: Select all

<a href="http://myurl.com/index.php?q={TEXT}">...</a>

but some supporters keep telling me that there IS a possible injection point in SUCH A SPECIAL construction (without giving proof, of course). So here I stand begging for more information about that, or call them supporters of smattering!

edit:

I'd publish an exploit, since I tend to say "if people don't care about the details while using something it's their own fault (aka knowledge is power)". But this is only my point of view. If the phpBB support team does not want to publish any explicit example it's their decision.

Feel free to send me a PM if you or someone else found out!

Spectral · Post by **Spectral** » Fri Jul 30, 2010 10:00 pm

anyone has videoweed bbcode ?

ric323 · Post by **ric323** » Fri Jul 30, 2010 10:11 pm

Spectral wrote:anyone has videoweed bbcode ?

You'd get a much quicker response if you did a little legwork yourself.
What exactly is "videoweed"?
Do you have some suggested code to embed one on a web page?
or a link to a page showing one?

Spectral · Post by **Spectral** » Fri Jul 30, 2010 10:22 pm

http://www.videoweed.com/file/n82cy3l8rxrau

Code: Select all

<iframe width='600' height='480' frameborder='0' src='http://embed.videoweed.com/embed.php?v=n82cy3l8rxrau&width=600&height=480' scrolling='no'></iframe>

Code: Select all

[VideoWeed]id[/VideoWeed]

that may help i hope..

advertisements