#3 Javascript/Mouseover security hole

1 Gold - SP 1.2
closed-fixed
nobody
YaBBC Code (10)
8
2003-02-02
2003-01-30
Torsten Mrotz
No

http://www.yabbforum.com/community/YaBB.pl?
board=concerns;action=display;num=1043840060;start=
0#5

BBC allows JS in several tags. we need to check where
this issue occurs.

Discussion

  • Torsten Mrotz
    Torsten Mrotz
    2003-01-31

    • priority: 5 --> 8
    • status: open --> open-accepted
     
  • Torsten Mrotz
    Torsten Mrotz
    2003-02-01

    Logged In: YES
    user_id=289236

    seems to be only the glow and shadow tag since there is
    used a table which causes the security flaw

     
  • Torsten Mrotz
    Torsten Mrotz
    2003-02-02

    Logged In: YES
    user_id=289236

    the table in the glow and shadow tags is causing the problem.
    it's the width in it which can be anything - also code like
    onmouseover so the HTML looks like
    <table width=400 onmouseover='alert()' style="filter:shadow
    color=#ffffff, direction=0)">

    regex should be more like this:
    $message =~ s~\[shadow=(\S+?),(\d+),(\d+)\](.+?)\[/shadow\]
    ~qq^[&table width="^ . validwidth($3) . qq^"
    style="filter:shadow\(color=$1, direction=$2\)"\]$4\[/\&table\]
    ^~eisg;
    $message =~ s~\[glow=(\S+?),(\d+),(\d+)\](.+?)\[/glow\]~qq^
    [&table width="^ . validwidth($3) . qq^"
    style="filter:glow\(color=$1, strength=$2\)"\]$4\[/\&table\]
    ^~eisg;

     
  • Torsten Mrotz
    Torsten Mrotz
    2003-02-02

    • status: open-accepted --> closed-fixed