Custom BBCodes [Deprecated]

Get help developing custom BBCodes or request one.
updown
Registered User
Posts: 542
Joined: Sat Jan 05, 2008 6:53 am

Re: Custom BBCodes

Post by updown »

Noxwizard wrote:Because you can break out of any tag that uses {TEXT} and create an XSS vulnerability.
Thanks, I know the basics. But HOW is it even possible to break-out the tag when all special-chars are html-encoded?
coxie
Registered User
Posts: 10
Joined: Sat Jul 17, 2010 3:43 pm

Re: Custom BBCodes

Post by coxie »

Can anyone help me with a code to embed sopcast player, its a peer to peer application which streams tv channels. It is possible I am just useless with bbcode i do understand it better now and managed to add a justin tv code ok.
User avatar
Noxwizard
Support Team Leader
Support Team Leader
Posts: 10551
Joined: Mon Jun 27, 2005 8:41 pm
Location: Texas, USA
Name: Patrick Webster
Contact:

Re: Custom BBCodes

Post by Noxwizard »

updown wrote:
Noxwizard wrote:Because you can break out of any tag that uses {TEXT} and create an XSS vulnerability.
Thanks, I know the basics. But HOW is it even possible to break-out the tag when all special-chars are html-encoded?
They aren't all encoded.
[Support Template] - [Read Before Posting] - [phpBB Knowledge Base]
Do not contact me for private support, please share the question in our forums.
User avatar
leviatan21
Registered User
Posts: 2663
Joined: Fri Aug 10, 2007 7:22 am
Location: Buenos Aires, Argentina
Name: Gabriel

Re: Custom BBCodes

Post by leviatan21 »

coxie wrote:Can anyone help me with a code to embed sopcast player, its a peer to peer application which streams tv channels. It is possible I am just useless with bbcode i do understand it better now and managed to add a justin tv code ok.
You have2 options :
1) using flash :

Code: Select all

[flash=400,300]http://www.justin.tv/widgets/live_embed_player.swf?channel=kastus1005[/flash]
2) Create a custom bbcode :
BBCode usage

Code: Select all

[justintv]http://justin.tv/{SIMPLETEXT}[/justintv]
HTML replacement

Code: Select all

<object type="application/x-shockwave-flash" height="300" width="400" data="http://www.justin.tv/widgets/live_embed_player.swf?channel={SIMPLETEXT}"><param name="allowFullScreen" value="true" /><param name="allowScriptAccess" value="always" /><param name="allowNetworking" value="all" /><param name="movie" value="http://www.justin.tv/widgets/live_embed_player.swf" /><param name="flashvars" value="channel={SIMPLETEXT}&auto_play=false&start_volume=25" /></object>
Example :

Code: Select all

[justintv]http://justin.tv/kastus1005[/justintv]
Excuse me for my poor English, I speak Spanish. | Image phpBB en Español
coxie
Registered User
Posts: 10
Joined: Sat Jul 17, 2010 3:43 pm

Re: Custom BBCodes

Post by coxie »

leviatan thanks but I have already done Justin tv and that works fine, I need to make a custom bbcode for sopcast so I can embed that, sopcast is a different application and isn't flash
User avatar
leviatan21
Registered User
Posts: 2663
Joined: Fri Aug 10, 2007 7:22 am
Location: Buenos Aires, Argentina
Name: Gabriel

Re: Custom BBCodes

Post by leviatan21 »

coxie wrote:leviatan thanks but I have already done Justin tv and that works fine, I need to make a custom bbcode for sopcast so I can embed that, sopcast is a different application and isn't flash
Sorry I didn't understand your post, unfortunately I can't help you on this, sopcast is not available on my country :oops:
Excuse me for my poor English, I speak Spanish. | Image phpBB en Español
coxie
Registered User
Posts: 10
Joined: Sat Jul 17, 2010 3:43 pm

Re: Custom BBCodes

Post by coxie »

Thanks anyway maybe someone else will be able to help cos if you guys here can't help then what chance does a noob like me have lol
updown
Registered User
Posts: 542
Joined: Sat Jan 05, 2008 6:53 am

Re: Custom BBCodes

Post by updown »

Noxwizard wrote:
updown wrote:
Noxwizard wrote:Because you can break out of any tag that uses {TEXT} and create an XSS vulnerability.
Thanks, I know the basics. But HOW is it even possible to break-out the tag when all special-chars are html-encoded?
They aren't all encoded.
All possible XSS-entries that I've tested doesn't work! Obviously there might be vectors I'm not aware of, or that is just a "precaution" with a "theoretical"vulnerability. Have you or an other team-member already managed to include XSS-code in such URL-attribute-environments with {TEXT}?
Pony99CA
Registered User
Posts: 4783
Joined: Thu Sep 30, 2004 3:13 pm
Location: Hollister, CA
Name: Steve
Contact:

Re: Custom BBCodes

Post by Pony99CA »

updown wrote:All possible XSS-entries that I've tested doesn't work! Obviously there might be vectors I'm not aware of, or that is just a "precaution" with a "theoretical"vulnerability. Have you or an other team-member already managed to include XSS-code in such URL-attribute-environments with {TEXT}?
I wondered the same thing. I created the following BBCode on my test board:

BBCode usage

Code: Select all

[xss={TEXT1}]{TEXT2}[/xss]
HTML replacement

Code: Select all

<span style="{TEXT1}">{TEXT2}</span>
I then tried the following text:

Code: Select all

Testing Text Security Risk:

[xss=text-decoration: underline;]Hi![/xss]

[xss=color: red;" onMouseDown="alert('You clicked the text!')]Hi![/xss]
The first line displayed underlined text (as expected). The second line displayed red text (as expected) but did not respond to mouse clicks.

I too would be interested in seeing a real example that allowed XSS.

Steve

P.S. Why am I getting Flash 10 security errors when previewing this post?
Error #2044: Unhandled SecurityErrorEvent:. text=Error #2048: Security sandbox violation: http://g4tv.com/assets/flash/videos/vpl ... 3d12829243 cannot load data from http://ad.doubleclick.net/879366/DartSh ... eclick.net.
Silicon Valley Pocket PC (http://www.svpocketpc.com)
Creator of manage_bots and spoof_user (ask me)
Need hosting for a small forum with full cPanel & MySQL access? Contact me or PM me.
User avatar
Mark1200
I've Been Banned!
Posts: 145
Joined: Mon Jul 19, 2010 9:34 am
Location: The Netherlands
Name: Mark

Re: Custom BBCodes

Post by Mark1200 »

I looking for a BBCode:
[news]{TEXT}[/news]
HTML: Don't have!

With the code must you avible to post in this Image image!

~ Mark1200
User avatar
ric323
Former Team Member
Posts: 22910
Joined: Tue Feb 06, 2007 12:33 am
Location: Melbourne, Australia
Name: Ric
Contact:

Re: Custom BBCodes

Post by ric323 »

Mark1200 wrote:I looking for a BBCode:
[news]{TEXT}[/news]
HTML: Don't have!

With the code must you avible to post in this ... image!

~ Mark1200
That image is huge, and not visible unless you browse directly to the website it is hosted on first, so they are running some sort of hotlink protection.
Do you mean you want some text to appear in a box with a custom background image?
The Knowledge Base contains solutions to many common problems!
How to fix "Doesn't have a default value" and "Incorrect string value: xxx for column 'post_text' " errors.
How to do a clean re-install of the latest phpBB3 version.
Problems with permissions? Read phpBB3 Permissions
User avatar
Mark1200
I've Been Banned!
Posts: 145
Joined: Mon Jul 19, 2010 9:34 am
Location: The Netherlands
Name: Mark

Re: Custom BBCodes

Post by Mark1200 »

ric323 wrote:
Mark1200 wrote:I looking for a BBCode:
[news]{TEXT}[/news]
HTML: Don't have!

With the code must you avible to post in this ... image!

~ Mark1200
That image is huge, and not visible unless you browse directly to the website it is hosted on first, so they are running some sort of hotlink protection.
Do you mean you want some text to appear in a box with a custom background image?
Yes that i mean!

~ Mark1200
updown
Registered User
Posts: 542
Joined: Sat Jan 05, 2008 6:53 am

Re: Custom BBCodes

Post by updown »

updown wrote:I have the same problem whenever I need to pass a specific attribute into an URL, where full TEXT support is necessary. Example:

Code: Select all

<a href="http://myurlxxxx.com/index.php?q={TEXT}">...</a>
Is there a documentation or an example anywhere that helps judging the risk of an XSS-vulnerability within these kind of tags in phpBB? Since special-chars like > , & or " are beeing html-encoded, I've no clue where exactly the problem is. (I found nothing concrete about this by searching intensively).
Pony99CA wrote:I wondered the same thing.
Please, supporters, bring us some light and wisdom with HELPFUL explanations! That's a question a lot of people have asked allover the board, and yet no real answer at all :roll:
User avatar
Noxwizard
Support Team Leader
Support Team Leader
Posts: 10551
Joined: Mon Jun 27, 2005 8:41 pm
Location: Texas, USA
Name: Patrick Webster
Contact:

Re: Custom BBCodes

Post by Noxwizard »

Yes we've tested it. That is why the BBCode token legend in the ACP tells you not to use {TEXT} inside of HTML tags. There's even a warning screen if you do try to use it in an insecure manner.
[Support Template] - [Read Before Posting] - [phpBB Knowledge Base]
Do not contact me for private support, please share the question in our forums.
Pony99CA
Registered User
Posts: 4783
Joined: Thu Sep 30, 2004 3:13 pm
Location: Hollister, CA
Name: Steve
Contact:

Re: Custom BBCodes

Post by Pony99CA »

Noxwizard wrote:Yes we've tested it. That is why the BBCode token legend in the ACP tells you not to use {TEXT} inside of HTML tags. There's even a warning screen if you do try to use it in an insecure manner.
We know that there's a warning in both the help text and when you try to use it. What we're curious about is an actual example of a BBCode (and a use of that BBCode) that would cause an XSS -- something like the example that I posted. The tests that I've run show that "dangerous" characters are replaced with HTML entities and don't allow XSS.

Maybe I'm not crafty enough to get around that, so we want to see proof that it's a real problem, not a theoretical vulnerability. In other words, if something like:

Code: Select all

[b]{TEXT}[/b]
properly handles attempts between start and end tags to include HTML in the {TEXT}, why wouldn't it properly handle similar things inside an HTML tag or attribute?

Steve
Silicon Valley Pocket PC (http://www.svpocketpc.com)
Creator of manage_bots and spoof_user (ask me)
Need hosting for a small forum with full cPanel & MySQL access? Contact me or PM me.
Locked

Return to “Custom BBCode Development and Requests”