Page Index Toggle Pages: 1 2 3 [4] 5  Send TopicPrint
Very Hot Topic (More than 25 Replies) Security Issue! (Read 20327 times)
Administrator
Forum Administrator
*****
Offline


Yummm

Posts: 7
Location: Modders Rile
Joined: Oct 7th, 2014
Gender: Male
Re: Security Issue!
Reply #45 - Jan 15th, 2002 at 12:52am
Print Post  
just trying once more to be sure...
javascript:document.write('testing')
javascript:document.write('testing')
javascript:document.write('testing')
  

The Administrator.
Back to top
WWW  
IP Logged
 
itswheelie
Senior Member
****
Offline


I love YaBB 1 Gold!

Posts: 445
Joined: May 30th, 2001
Re: Security Issue!
Reply #46 - Jan 15th, 2002 at 8:56am
Print Post  
Finally it all seems to be working properly on SP1 on my test board.  Nice work XXL
  
Back to top
 
IP Logged
 
Brainy
Guest


Re: Security Issue!
Reply #47 - Jan 15th, 2002 at 6:21pm
Print Post  
We are still having image problems with ver 1.3.
It is with the (img width=80 height=40) tag.
Look at the signature for deidrep2 in the following post:

http://www.ourrecipebox.com/cgi-bin/yabb/YaBB.pl?board=Jokes&action=display&num=...
  
Back to top
 
IP Logged
 
OddBall
Guest


Re: Security Issue!
Reply #48 - Jan 15th, 2002 at 11:10pm
Print Post  
I tried installing the SP1 security fix mod. Well of course it didn't work out of the box because I do not have a YaBBC.pl file. Reading the boards here some said it is the DoUBBC sub in Subs.pl. Well I found that sub but the lines to replace are not there.

Is there a way I can test the board and see if it is in fact vulnerable?
  
Back to top
 
IP Logged
 
Administrator
Forum Administrator
*****
Offline


Yummm

Posts: 7
Location: Modders Rile
Joined: Oct 7th, 2014
Gender: Male
Re: Security Issue!
Reply #49 - Jan 15th, 2002 at 11:22pm
Print Post  
Quote:
We are still having image problems with ver 1.3.
It is with the (img width=80 height=40) tag.
Look at the signature for deidrep2 in the following post:

http://www.ourrecipebox.com/cgi-bin/yabb/YaBB.pl?board=Jokes&action=display&num=...
are you sure that she used valid images in that signature? It doesn't seem so to me...

Quote:
I tried installing the SP1 security fix mod. Well of course it didn't work out of the box because I do not have a YaBBC.pl file. Reading the boards here some said it is the DoUBBC sub in Subs.pl. Well I found that sub but the lines to replace are not there.

Is there a way I can test the board and see if it is in fact vulnerable?
Please, you have to install the proper security fix version for your board. If you don't have YaBBC.pl then you don't have YaBB 1 SP1 but YaBB 1 Gold - Release and therefore you need the GR patch!
  

The Administrator.
Back to top
WWW  
IP Logged
 
Administrator
Forum Administrator
*****
Offline


Yummm

Posts: 7
Location: Modders Rile
Joined: Oct 7th, 2014
Gender: Male
Re: Security Issue!
Reply #50 - Jan 16th, 2002 at 1:58am
Print Post  
Hm I checked it and indeed, there was problem with images which have custom size. I fixed it in v1.4 Wink
  

The Administrator.
Back to top
WWW  
IP Logged
 
OddBall
New Member
*
Offline


Wanna see my kernel?

Posts: 1
Joined: Jan 15th, 2002
Gender: Male
Re: Security Issue!
Reply #51 - Jan 16th, 2002 at 8:51pm
Print Post  

Quote:
Please, you have to install the proper security fix version for your board. If you don't have YaBBC.pl then you don't have YaBB 1 SP1 but YaBB 1 Gold - Release and therefore you need the GR patch!


Hehe... Now I feel stupid don't I.... was thinking GR stood for German .... Smiley

Thanks
  
Back to top
IP Logged
 
tbird
Guest


Re: Security Issue!
Reply #52 - Jan 25th, 2002 at 4:05am
Print Post  
I moderate an automotive board and something occurred to me.....

Why not just use the text filter to remove the string j a v a s c r i p t and also the charstring  '& #' (without the space).  That's what I'm proposing to the admin.  As I said it's an automotive board and we dont need html or any sort of other code fragments in the messages....

Will that work for us?
  
Back to top
 
IP Logged
 
atosch
Junior Member
**
Offline


I love YaBB 1 Gold!

Posts: 92
Joined: Sep 25th, 2001
Re: Security Issue!
Reply #53 - Jan 25th, 2002 at 8:58am
Print Post  
Quote:
no the problem is that it is not possible to detect if the source contains "javascript" or not. The problem is that instead of "javascript" someone can write "javascript" (note the ascii char). Instead of replacing the "i" you could replace any or even multiple. There are so many combinations that a detection of the word "javascript" is almost impossible. So the only way is to make any occurrence of it useless by putting http://
As I told above, I don't see any other way to fix it more easily.
  



Back to top
 
IP Logged
 
Administrator
Forum Administrator
*****
Offline


Yummm

Posts: 7
Location: Modders Rile
Joined: Oct 7th, 2014
Gender: Male
Re: Security Issue!
Reply #54 - Jan 25th, 2002 at 7:49pm
Print Post  
You have to consider that there are urls containing '&'! The way my fix does it works good so why try something else? Smiley
  

The Administrator.
Back to top
WWW  
IP Logged
 
McH
Junior Member
**
Offline


Juud. 16

Posts: 60
Location: Lahti
Joined: Nov 6th, 2001
Gender: Male
Re: Security Issue!
Reply #55 - Feb 4th, 2002 at 5:09pm
Print Post  
Check this out: http://www.jovinet.net/McH/YaBB_bug.jpg

Sad There is big bug! I can run code from message form.

I don't have any idea for fix.

I am sorry for my bad english.  Embarrassed
  
Back to top
WWW  
IP Logged
 
Administrator
Forum Administrator
*****
Offline


Yummm

Posts: 7
Location: Modders Rile
Joined: Oct 7th, 2014
Gender: Male
Re: Security Issue!
Reply #56 - Feb 4th, 2002 at 5:37pm
Print Post  
Hm you're right this is a bug, however it doesn't influence the board security. All what happens is that it messes up the post preview page...
  

The Administrator.
Back to top
WWW  
IP Logged
 
McH
Junior Member
**
Offline


Juud. 16

Posts: 60
Location: Lahti
Joined: Nov 6th, 2001
Gender: Male
Re: Security Issue!
Reply #57 - Feb 4th, 2002 at 9:30pm
Print Post  
Are you sure?

If you are right, I am sorry for posting this to wrong topic...
  
Back to top
WWW  
IP Logged
 
Administrator
Forum Administrator
*****
Offline


Yummm

Posts: 7
Location: Modders Rile
Joined: Oct 7th, 2014
Gender: Male
Re: Security Issue!
Reply #58 - Feb 5th, 2002 at 3:04pm
Print Post  
anyway, thx for bug hunting Smiley
  

The Administrator.
Back to top
WWW  
IP Logged
 
DanX vs SoNiC
God Member
*****
Offline


TOTTENHAM HOTSPURS FOREVER!!!

Posts: 1675
Location: Scarborough
Joined: Sep 4th, 2001
Gender: Male
Re: Security Issue!
Reply #59 - Feb 5th, 2002 at 4:23pm
Print Post  
Quote:
anyway, thx for bug hunting Smiley

Is there a bug fix or you not bothering???
  

Email "The User Formally Known As Sonic : mail@danscotson.co.uk
Back to top
 
IP Logged
 
Page Index Toggle Pages: 1 2 3 [4] 5 
Send TopicPrint