#1778 html in event description

Security_Hole
closed
Craig Knudsen
Security (98)
5
2007-02-02
2006-10-08
Grant Klassen
No

In the on going battle against spam event entries, I've noticed that
people are able to enter html code in the description field even though
the systems settings are set to "No" for that setting.

------------
System Settings

PROGRAM_NAME : WebCalendar v1.0.4 (07 Jun 2006)
SERVER_SOFTWARE : Apache/2.0.54 (Debian GNU/Linux) PHP/
4.4.2-1.1 mod_ssl/2.0.54 OpenSSL/0.9.7e mod_webkit2/0.5
Web Browser : Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en)
AppleWebKit/418.8 (KHTML, like Gecko) Safari/419.3
db_type : mysql
readonly : N
single_user : N
single_user_login :
use_http_auth : false
user_inc : user.php
LANGUAGE : English-US
demo_mode : N
require_approvals : Y
groups_enabled : N
user_sees_only_his_groups: N
categories_enabled : N
allow_conflicts : Y
conflict_repeat_months : 6
disable_priority_field : Y
disable_access_field : Y
disable_participants_field: Y
disable_repeating_field : N
allow_view_other : Y
email_fallback_from : webmaster@mennonitechurch.ca
remember_last_login : Y
allow_color_customization: Y
BGCOLOR : #FFFFFF
H2COLOR : #000000
CELLBG : #76E1C3
WEEKENDBG : #A0F0CF
TABLEBG : #000000
THBG : #FFFFFF
THFG : #000000
POPUP_FG : #000000
POPUP_BG : #FFFFFF
TODAYCELLBG : #B4FFD2
WEEK_START : 0
TIME_FORMAT : 12
DISPLAY_UNAPPROVED : N
DISPLAY_WEEKNUMBER : N
WORK_DAY_START_HOUR : 2
WORK_DAY_END_HOUR : 23
send_email : N
EMAIL_REMINDER : N
EMAIL_EVENT_ADDED : N
EMAIL_EVENT_UPDATED : N
EMAIL_EVENT_DELETED : N
EMAIL_EVENT_REJECTED : N
server_url : http://www.mennonitechurch.ca/mc-
cwebcalendar/
FONTS : Arial, Helvetica, sans-serif
STARTVIEW : month.php
DISPLAY_WEEKENDS : Y
DATE_FORMAT : __month__ __dd__, __yyyy__
DATE_FORMAT_MY : __month__ __yyyy__
DATE_FORMAT_MD : __month__ __dd__
TIME_SLOTS : 48
auto_refresh : N
auto_refresh_time : 0
public_access : Y
public_access_others : N
public_access_can_add : Y
public_access_add_needs_approval: Y
add_link_in_views : Y
allow_external_users : N
external_notifications : N
external_reminders : N
allow_conflict_override : N
limit_appts : N
nonuser_enabled : N
nonuser_at_top : N
reports_enabled : N
PUBLISH_ENABLED : N
CUSTOM_SCRIPT : N
CUSTOM_HEADER : Y
CUSTOM_TRAILER : Y
bold_days_in_year : N
DISPLAY_DESC_PRINT_DAY : N
site_extras_in_popup : Y
allow_html_description : N
TIMED_EVT_LEN : D
public_access_default_visible: Y
public_access_default_selected: Y
public_access_view_part : N
enable_gradients : Y
application_name : Webcalendar

Discussion

1 2 > >> (Page 1 of 2)
  • Ray Jones
    Ray Jones
    2006-11-09

    Logged In: YES
    user_id=1090373

    Is you main trouble the html settings, or spam?

    Can you give an example of the HTML that is getting through?

    -Ray

     
  • Ray Jones
    Ray Jones
    2006-11-09

    • status: open --> pending
     
  • Grant Klassen
    Grant Klassen
    2006-11-10

    • status: pending --> open
     
  • Grant Klassen
    Grant Klassen
    2006-11-10

    Logged In: YES
    user_id=913916

    When in "view_entry.php" the entry looks like this:

    cheap phentermine
    Description: <a href=http://cheap-phentermine-fx.blogspot.com>cheap phentermine</a> http://cheap-phentermine-fx.blogspot.com
    cheap phentermine [url=http://cheap-phentermine-fx.blogspot.com] cheap phentermine [/url]
    Date: Saturday, November 11, 2017
    Repeat Type: Saturday, November 11, 2017 - Friday, February 31, 2006 (every Month / 2nd Saturday)
    Created by: Public Access
    Updated: Friday, November 10, 2006 23:07
    Event Email: cheapphentermine@hotmail.com
    Event Website: http://cheap-phentermine-fx.blogspot.com
    Participants:

     
  • Ray Jones
    Ray Jones
    2006-11-10

    Logged In: YES
    user_id=1090373

    Sorry, I guess I should have asked, is the html stored in
    your database for this event use '<' or &lt; ?

    It looks like they used html entities instead of the
    characters that we currently check.

    -Ray

     
  • Ray Jones
    Ray Jones
    2006-11-10

    • assigned_to: cknudsen --> umcesrjones
    • status: open --> pending
     
  • Grant Klassen
    Grant Klassen
    2006-11-15

    • status: pending --> open
     
  • Grant Klassen
    Grant Klassen
    2006-11-21

    Logged In: YES
    user_id=913916
    Originator: YES

    I tested it myself to see:
    a) if some one is bypassing the conventional entry method
    or
    b) if url's can be entered into the Description field using the conventional entry method.

    So I went to the "edit_entry.php" page, typed this into the description field:
    "This great resource <a href="http://www.mennonitechurch.ca/">MC-Canada</a> [url=http://www.mennonitechurch.ca/]MC-Canada[/url] http://www.mennonitechurch.ca/"

    I entered a couple of other bits of informaiton into other fields and clicked "Save"

    It was accepted and displayed as an event with html in the Description field! :-(

    Grant

     
  • Craig Knudsen
    Craig Knudsen
    2007-01-02

    • assigned_to: umcesrjones --> cknudsen
    • status: open --> pending
     
  • Craig Knudsen
    Craig Knudsen
    2007-01-02

    Logged In: YES
    user_id=14386
    Originator: NO

    Unfortunately, you are not the first user to encounter this problem. So, I put together a CAPTCHA add-on for WebCalendar 1.0.4. See the following URL:

    http://www.k5n.us/webcalendar.php?topic=Add-Ons

    This will create a CAPTCHA image at the bottom of the add event form when a public user is attempting to add an event.

     
1 2 > >> (Page 1 of 2)