Thanks, I know the basics. But HOW is it even possible to break-out the tag when all special-chars are html-encoded?Noxwizard wrote:Because you can break out of any tag that uses {TEXT} and create an XSS vulnerability.
Thanks, I know the basics. But HOW is it even possible to break-out the tag when all special-chars are html-encoded?Noxwizard wrote:Because you can break out of any tag that uses {TEXT} and create an XSS vulnerability.
They aren't all encoded.updown wrote:Thanks, I know the basics. But HOW is it even possible to break-out the tag when all special-chars are html-encoded?Noxwizard wrote:Because you can break out of any tag that uses {TEXT} and create an XSS vulnerability.
You have2 options :coxie wrote:Can anyone help me with a code to embed sopcast player, its a peer to peer application which streams tv channels. It is possible I am just useless with bbcode i do understand it better now and managed to add a justin tv code ok.
Code: Select all
[flash=400,300]http://www.justin.tv/widgets/live_embed_player.swf?channel=kastus1005[/flash]
Code: Select all
[justintv]http://justin.tv/{SIMPLETEXT}[/justintv]
Code: Select all
<object type="application/x-shockwave-flash" height="300" width="400" data="http://www.justin.tv/widgets/live_embed_player.swf?channel={SIMPLETEXT}"><param name="allowFullScreen" value="true" /><param name="allowScriptAccess" value="always" /><param name="allowNetworking" value="all" /><param name="movie" value="http://www.justin.tv/widgets/live_embed_player.swf" /><param name="flashvars" value="channel={SIMPLETEXT}&auto_play=false&start_volume=25" /></object>
Code: Select all
[justintv]http://justin.tv/kastus1005[/justintv]
Sorry I didn't understand your post, unfortunately I can't help you on this, sopcast is not available on my countrycoxie wrote:leviatan thanks but I have already done Justin tv and that works fine, I need to make a custom bbcode for sopcast so I can embed that, sopcast is a different application and isn't flash
All possible XSS-entries that I've tested doesn't work! Obviously there might be vectors I'm not aware of, or that is just a "precaution" with a "theoretical"vulnerability. Have you or an other team-member already managed to include XSS-code in such URL-attribute-environments with {TEXT}?Noxwizard wrote:They aren't all encoded.updown wrote:Thanks, I know the basics. But HOW is it even possible to break-out the tag when all special-chars are html-encoded?Noxwizard wrote:Because you can break out of any tag that uses {TEXT} and create an XSS vulnerability.
I wondered the same thing. I created the following BBCode on my test board:updown wrote:All possible XSS-entries that I've tested doesn't work! Obviously there might be vectors I'm not aware of, or that is just a "precaution" with a "theoretical"vulnerability. Have you or an other team-member already managed to include XSS-code in such URL-attribute-environments with {TEXT}?
Code: Select all
[xss={TEXT1}]{TEXT2}[/xss]
Code: Select all
<span style="{TEXT1}">{TEXT2}</span>
Code: Select all
Testing Text Security Risk:
[xss=text-decoration: underline;]Hi![/xss]
[xss=color: red;" onMouseDown="alert('You clicked the text!')]Hi![/xss]
Error #2044: Unhandled SecurityErrorEvent:. text=Error #2048: Security sandbox violation: http://g4tv.com/assets/flash/videos/vpl ... 3d12829243 cannot load data from http://ad.doubleclick.net/879366/DartSh ... eclick.net.
That image is huge, and not visible unless you browse directly to the website it is hosted on first, so they are running some sort of hotlink protection.Mark1200 wrote:I looking for a BBCode:
[news]{TEXT}[/news]
HTML: Don't have!
With the code must you avible to post in this ... image!
~ Mark1200
Yes that i mean!ric323 wrote:That image is huge, and not visible unless you browse directly to the website it is hosted on first, so they are running some sort of hotlink protection.Mark1200 wrote:I looking for a BBCode:
[news]{TEXT}[/news]
HTML: Don't have!
With the code must you avible to post in this ... image!
~ Mark1200
Do you mean you want some text to appear in a box with a custom background image?
updown wrote:I have the same problem whenever I need to pass a specific attribute into an URL, where full TEXT support is necessary. Example:
Is there a documentation or an example anywhere that helps judging the risk of an XSS-vulnerability within these kind of tags in phpBB? Since special-chars like > , & or " are beeing html-encoded, I've no clue where exactly the problem is. (I found nothing concrete about this by searching intensively).Code: Select all
<a href="http://myurlxxxx.com/index.php?q={TEXT}">...</a>
Please, supporters, bring us some light and wisdom with HELPFUL explanations! That's a question a lot of people have asked allover the board, and yet no real answer at allPony99CA wrote:I wondered the same thing.
We know that there's a warning in both the help text and when you try to use it. What we're curious about is an actual example of a BBCode (and a use of that BBCode) that would cause an XSS -- something like the example that I posted. The tests that I've run show that "dangerous" characters are replaced with HTML entities and don't allow XSS.Noxwizard wrote:Yes we've tested it. That is why the BBCode token legend in the ACP tells you not to use {TEXT} inside of HTML tags. There's even a warning screen if you do try to use it in an insecure manner.
Code: Select all
[b]{TEXT}[/b]