Topic: Small exploit in announcements.

My friend made this error on his punBB boards.
He was changing his announcements that display at the top of every page.
He included a hyperlink, but made a typographical error that looked like this:
<a href="kajsdfjsldfsd.php'>click here</a>
As you can see, the ' was used instead of the ".
I tried to change the announcement in the actual sql itself but for some reason (I havn't looked at the code too much) it wouldn't change the announcement.

What it did was alter the HTML of the entire site. Nothing showed up properly, and if I had thought about it at the time I would have taken screengrabs. It WAS at about 3:00AM. The forums were very difficult to navigate though, and it had even altered it so that he could not go into the admin options and change it.

To fix it, I had to manually go into the header.php file and throw in a str_replace around the announcement variable that changed all 's to "s.

2

Re: Small exploit in announcements.

Confirmed. What it does is cause the "<" to be read as data and not as part of tag. The end result is none of the divs that follow are opened and closed properly.

3 (edited by Smartys 2005-06-04 10:20)

Re: Small exploit in announcements.

I tried to change the announcement in the actual sql itself but for some reason (I havn't looked at the code too much) it wouldn't change the announcement.

You had to delete the cache config file as well after doing it

And I just tested it: I can go through admin_options to modify it just fine

Re: Small exploit in announcements.

I wouldn't call this a bug. The announcement message can contain HTML and it's up to the admin that writes it to use proper markup. There's not a lot PunBB can do about it.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

5

Re: Small exploit in announcements.

Maybe there needs to be a text change. Writing html could wreck things, people need to write xhtml.

Re: Small exploit in announcements.

Well, this kid knows absolutely nothing about HTML. I set the forums up for him, and he had no idea what he was doing.
You could make it so that it checks their HTML for validity.



$xml = xml_parser_create();

$data = ????

if(xml_parse($xml, '<post>'.$data.'</post>', TRUE))
// Valid XML
else
// Not valid XML
xml_parser_free($xml);