#1778 html in event description

Security_Hole
closed
Security (98)
5
2007-02-02
2006-10-08
No

In the on going battle against spam event entries, I've noticed that
people are able to enter html code in the description field even though
the systems settings are set to "No" for that setting.

------------
System Settings

PROGRAM_NAME : WebCalendar v1.0.4 (07 Jun 2006)
SERVER_SOFTWARE : Apache/2.0.54 (Debian GNU/Linux) PHP/
4.4.2-1.1 mod_ssl/2.0.54 OpenSSL/0.9.7e mod_webkit2/0.5
Web Browser : Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en)
AppleWebKit/418.8 (KHTML, like Gecko) Safari/419.3
db_type : mysql
readonly : N
single_user : N
single_user_login :
use_http_auth : false
user_inc : user.php
LANGUAGE : English-US
demo_mode : N
require_approvals : Y
groups_enabled : N
user_sees_only_his_groups: N
categories_enabled : N
allow_conflicts : Y
conflict_repeat_months : 6
disable_priority_field : Y
disable_access_field : Y
disable_participants_field: Y
disable_repeating_field : N
allow_view_other : Y
email_fallback_from : webmaster@mennonitechurch.ca
remember_last_login : Y
allow_color_customization: Y
BGCOLOR : #FFFFFF
H2COLOR : #000000
CELLBG : #76E1C3
WEEKENDBG : #A0F0CF
TABLEBG : #000000
THBG : #FFFFFF
THFG : #000000
POPUP_FG : #000000
POPUP_BG : #FFFFFF
TODAYCELLBG : #B4FFD2
WEEK_START : 0
TIME_FORMAT : 12
DISPLAY_UNAPPROVED : N
DISPLAY_WEEKNUMBER : N
WORK_DAY_START_HOUR : 2
WORK_DAY_END_HOUR : 23
send_email : N
EMAIL_REMINDER : N
EMAIL_EVENT_ADDED : N
EMAIL_EVENT_UPDATED : N
EMAIL_EVENT_DELETED : N
EMAIL_EVENT_REJECTED : N
server_url : http://www.mennonitechurch.ca/mc-
cwebcalendar/
FONTS : Arial, Helvetica, sans-serif
STARTVIEW : month.php
DISPLAY_WEEKENDS : Y
DATE_FORMAT : __month__ __dd__, __yyyy__
DATE_FORMAT_MY : __month__ __yyyy__
DATE_FORMAT_MD : __month__ __dd__
TIME_SLOTS : 48
auto_refresh : N
auto_refresh_time : 0
public_access : Y
public_access_others : N
public_access_can_add : Y
public_access_add_needs_approval: Y
add_link_in_views : Y
allow_external_users : N
external_notifications : N
external_reminders : N
allow_conflict_override : N
limit_appts : N
nonuser_enabled : N
nonuser_at_top : N
reports_enabled : N
PUBLISH_ENABLED : N
CUSTOM_SCRIPT : N
CUSTOM_HEADER : Y
CUSTOM_TRAILER : Y
bold_days_in_year : N
DISPLAY_DESC_PRINT_DAY : N
site_extras_in_popup : Y
allow_html_description : N
TIMED_EVT_LEN : D
public_access_default_visible: Y
public_access_default_selected: Y
public_access_view_part : N
enable_gradients : Y
application_name : Webcalendar

Discussion

  • Ray Jones

    Ray Jones - 2006-11-09

    Logged In: YES
    user_id=1090373

    Is you main trouble the html settings, or spam?

    Can you give an example of the HTML that is getting through?

    -Ray

     
  • Ray Jones

    Ray Jones - 2006-11-09
    • status: open --> pending
     
  • Grant Klassen

    Grant Klassen - 2006-11-10
    • status: pending --> open
     
  • Grant Klassen

    Grant Klassen - 2006-11-10

    Logged In: YES
    user_id=913916

    When in "view_entry.php" the entry looks like this:

    cheap phentermine
    Description: <a href=http://cheap-phentermine-fx.blogspot.com>cheap phentermine</a> http://cheap-phentermine-fx.blogspot.com
    cheap phentermine [url=http://cheap-phentermine-fx.blogspot.com] cheap phentermine [/url]
    Date: Saturday, November 11, 2017
    Repeat Type: Saturday, November 11, 2017 - Friday, February 31, 2006 (every Month / 2nd Saturday)
    Created by: Public Access
    Updated: Friday, November 10, 2006 23:07
    Event Email: cheapphentermine@hotmail.com
    Event Website: http://cheap-phentermine-fx.blogspot.com
    Participants:

     
  • Ray Jones

    Ray Jones - 2006-11-10

    Logged In: YES
    user_id=1090373

    Sorry, I guess I should have asked, is the html stored in
    your database for this event use '<' or &lt; ?

    It looks like they used html entities instead of the
    characters that we currently check.

    -Ray

     
  • Ray Jones

    Ray Jones - 2006-11-10
    • assigned_to: cknudsen --> umcesrjones
    • status: open --> pending
     
  • Grant Klassen

    Grant Klassen - 2006-11-15
    • status: pending --> open
     
  • Grant Klassen

    Grant Klassen - 2006-11-21

    Logged In: YES
    user_id=913916
    Originator: YES

    I tested it myself to see:
    a) if some one is bypassing the conventional entry method
    or
    b) if url's can be entered into the Description field using the conventional entry method.

    So I went to the "edit_entry.php" page, typed this into the description field:
    "This great resource <a href="http://www.mennonitechurch.ca/">MC-Canada</a> [url=http://www.mennonitechurch.ca/]MC-Canada[/url] http://www.mennonitechurch.ca/"

    I entered a couple of other bits of informaiton into other fields and clicked "Save"

    It was accepted and displayed as an event with html in the Description field! :-(

    Grant

     
  • Craig Knudsen

    Craig Knudsen - 2007-01-02
    • assigned_to: umcesrjones --> cknudsen
    • status: open --> pending
     
  • Craig Knudsen

    Craig Knudsen - 2007-01-02

    Logged In: YES
    user_id=14386
    Originator: NO

    Unfortunately, you are not the first user to encounter this problem. So, I put together a CAPTCHA add-on for WebCalendar 1.0.4. See the following URL:

    http://www.k5n.us/webcalendar.php?topic=Add-Ons

    This will create a CAPTCHA image at the bottom of the add event form when a public user is attempting to add an event.

     
  • SourceForge Robot

    • status: pending --> closed
     
  • SourceForge Robot

    Logged In: YES
    user_id=1312539
    Originator: NO

    This Tracker item was closed automatically by the system. It was
    previously set to a Pending status, and the original submitter
    did not respond within 30 days (the time period specified by
    the administrator of this Tracker).

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.





No, thanks