How exactly would it affect a regular phpBB install. Adblock Plus works off of advertisement domains and as of the latest update, shouldn't be an issue.
"It is our responsibility to protect our users, and despite the actual risk being very low, we have decided to remove the rewrite option and will accordingly release an updated version of Adblock Plus as soon as technically possible.We are doing this as a measure of precaution. There has not been any attempt of abusing the rewrite option and we will do everything we can to ensure this won’t happen."
For exactly the reasons in the description of the exploit. They demonstrated the exploit on maps.google.com -- without maps.google.com having been a knowing or willing participant -- due to the presence of code and functionality that maps.google.com was already running.
It's my understanding that all three need to be met for this to work, which is why I asked.
Please do feel free to omit the words "one of" from my sentence, and respond to that instead. Although responding even on any one of the individual points would still be productive towards building an answer for the question.
My approach to something like this is instead of focusing on whether it's vulnerable assume it is and how do you protect against it, or can you? The browser extension is changing the request which is completely out of the control of the site owner so you have very limited options. They mention usingEA117 wrote: ↑Sun Apr 21, 2019 9:16 pmSo the root question, still, is whether this exploit could also be demonstrated against a site running phpBB. i.e. If instead of maps.google.com the site they wanted to target was running phpBB, what mechanisms of phpBB itself or of popular extensions might allow a successful invocation of the exploit for visitors of that site?
connect-srcin the header but how practical is that on phpBB forum? Any externally loaded JS would need to be listed so it would break all existing BBCodes that utilize a js script like embedding Youtube and any extension like media embed would have to list every one. If you are using adsense?
Can't speak for older versions, but 3.0.0 or higher is not affected, as it always includes its path for redirects.
No - that's exactly the point: it was not done on maps.google.com, but instead on google.com/maps. Same domain, no different subdomain.
For you it may be normal to load all kind of scripts (or content in general) from elsewhere - for me it is yet again amazing how often people don't even consider to not trust foreign scripts. Yes, one may say "AdBlock is the problem", but it's similar to saying "no, not AIDS is the problem - the infected people having sex is the problem" - it's true, but there's no solution in there.
The only thing I allow on my site that is loading external scripts is adsense and the media embed plugin. Adsense is getting the boot because it's pretty much become useless for revenue over the past few years and that is not just me.AmigoJack wrote: ↑Tue Apr 23, 2019 5:20 amFor you it may be normal to load all kind of scripts (or content in general) from elsewhere - for me it is yet again amazing how often people don't even consider to not trust foreign scripts. Yes, one may say "AdBlock is the problem", but it's similar to saying "no, not AIDS is the problem - the infected people having sex is the problem" - it's true, but there's no solution in there.
There is lot of things that would have to come together to make this work. You would need Adblock installed and have loaded a ADblock ruleset intended to exploit it. Only sites in the ruleset would be affected.