Someone please flag down Gordon before he gets on the bus!!
This is good news!
Yes, it IS good news. I'm pleased to hear of it.
I would ask that other missing categories be reconsidered as well, including a Test category! As I noted in my previous post, the missing categories give the impression the company is no longer pursuing those products.
In other news, you guys are getting your knickers in a twist about all this embedded iframe and JavaScript stuff. The forum software -- like nearly all of them these days -- parses every character on output. I believe WordPress strips them out at the editor level, but many other CMS software keeps it, and blocks it when the page is emitted.
In another thread (please!) try creating a hidden DIV. Bet you can't do it, but if you can, be sure to report it.
(Incidentally, the weird formatting of my message was not my doing. I just typed out the text, and the font size changes happened on their own. This editor is very buggy. Isn't Heater a JavaScript expert? Maybe he'd revise the code for a free Parallax cap.)
Gordon,
Sorry for cluttering the thread. For sure we know input will be sanitized and/or escaped before going anyway near a DB or turning up as a posting. Question is how and how well?
Whilst I would love a Parallax cap I'm not available.
Now, the odd thing is that this edit box is cleditor which is a WYSIWYG editor for HTML. It is not suitable for a forum post editor.http://premiumsoftware.net/cleditor/
At least not out of the box. Seems it can be customized with plugins for whatever you want to do:http://premiumsoftware.net/cleditor/bbcodedemo
So there is hope of getting quote and code buttons back fairly painlessly.
Did you mean a hidden div Hellolike the ones in this post?
Gordon
All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy.
Opps, I seem to have uncovered a forum bug. You can't see my hidden dives in the post above. But if you scroll down past the end of the forum panel you will see all the text I hid in there, one character per line! Just about visible as the font is white.
Um, Heater broke the forum!!
You've demonstrated you can effectively hide DIVs in the stream of the a text, where people could cram in all sorts of things. I'll leave it at that what all can be done with hidden DIVs. Suffice it to say, the issue could be exploited in ways that might expose us to risks. At the least, it allows spammers to abuse the forum.
I'm not a fan of a CMS that doesn't simply wash out the content before it's stored in the DB, because then there's no chance of the parser missing it. It looks like Vanilla keeps all the bad stuff in the hopes it's trapped out on output. Looks like they missed the memo that allowing DIVs with arbitrary styling is strictly verboten.
I'd recommend you start a new bug thread so Parallax is sure to see it.
And yeah, I agree, all work and no play makes Heater a mischievous boy.
You posted it as "forum rendering bug," you silly goose. Yeah, that's a by-product of accepting the DIV in the first place, but the ***MUCH*** larger issue is the forum is not blocking DIVs with arbitrary styling. I know for a fact Parallax is aware of the problem hidden DIVs can cause, as I could not use DIVs of any type in my Learn Kickstart posts (that system is based, I recall, on Drupal, a much more robust CMS). I understood their rationale, and agreed with it. They need to know about this one.
You might have missed it, but there's also a DIV you created that is not being rendered. Use your browser to search for the word you put in it. Not found. No forum software should ever do that, Blackhat here I come!
Gordon,
Good point. Perhaps I should have shouted "WARNING GROSS SECURITY VULNERABILITY" instead.
Quite why there is a full scale WYSIWIG HTML editor with optional hack HTML directly feature used as an input box for forums posts is beyond me. It does not seem at all suitable.
Surely we are living in a world where people are used to BB codes, Markdown and so on.
You might have to spell out that missing div. I put 3 dodgy divs on this page and one on the bug report page. I can see them in the page source though is really hidden with display:none, which surprised me when it worked, and the other is hidden my virtue of having a white background.
I'll use pseudo-markup to show what I mean:
Did you mean a hidden div [div style="display: none;"]Hello[/div']like the ones in this post?
You had me at Hello. That word is not rendered, but is still processed. SEs will see it, so it's good for spamming, at the least. This should NEVER, as in N-E-V-E-R be allowed.
Someone mentioned the forum allows hot-linking graphics from other places. Know any 1px GIFs from malware sites? The combination of image hotlinking and hidden DIVs is, shall we say, not a great combination.
Yep, drag-and-drop hotlinking of arbitrary images from arbitrary sites is allowed. Say hello to my little dog Rubie.
Gordon,
Your challenge was to hide a div in a post. Being a noob at this I started with the most obvious thing I could think off "display:none;". I was much surprised, well shocked, when that returned the div in the page source and it was hidden. "Can't be so easy, can it?" I thought.
Hot linking YouTube videos certainly works. Seems a link to ruby works as well.
Instead of lobbying for Robotics Forums, why not just use TAGs to help everyone locate your Robotic threads?
It may not be what youall desire, but it will work and may actually be as good or better.
This option was mentioned earlier in the thread. As I mentioned previously, an earlier version of the forum used tags but the tags were later dropped. I recall one reason for dropping tags was not many people were using them.
Heater, I'm not just shocked, I'm gobsmacked. How's that for being British-sounding! (I plan on improving my West side accent to pass as a native.)
Loopy, see my other posts on tags. But in recap: 1) Most posters don't bother to tag; 2) On forums that rely on tagging, moderators must do the work -- these forums tend to be ad-supported and heavily SEO-optimization (or they use automatic taggers, something you DO NOT want); 3) Categorizing is for the benefit of other readers. Without some type of overall organization the forum is difficult to browse.
Finally, and speaking as a webmaster myself, from a forum owner viewpoint using just tagging allows others to set the tone, message, and brand of your site. That works for some forums, but I'm not sure it's the answer here.
Gordon,
Perhaps "shocked" is too strong. I would avoid "gobsmacked", to me it sounds like an illiterate Essex girl. I'm old enough that I should probably say "flabbergasted". Or maybe I was just "mildly amused" at the incompetence of it all. I mean really, what I did there is the most basic simple thing.
What starts to be shocking is the realization that we have been creating forums and other such global web based software for decades now and still the most fundamental problems with input checking, sanitizing, escaping etc are with us.
Never mind the fact that I have never understood the logic behind the idea that when I visit site A that I perhaps know and trust, I end up running code from site B, C, D, E....that I know nothing about? That is all just crazy nuts.
Oddly it seems that browsers today will refuse to download data from off site locations, but still they will run JS from anywhere!
Is it so that it's actually impossible with the mess of HTML, Javascript, PHP, MySql, Unicode, and whatever else all mixed up in the pot?
Hmmn..... I must wonder what those illiterate Essex girls are like.
Heater, you have a way of wandering quite afar in your contributions. Nonetheless, I do appreciate both you and Gordon bringing up your security concerns.
I am completely gobsmacked by how invasive my purchase of an Android 4.4 smart phone is. I have managed to hang back with an old clam shell cell phone until it was decrepit. Though I absolutely love the Chinese/English dictionary app -- I have begun to think someone might actually use the phone to follow me and do harm.
I hold with the idea that the best security is not participating in things you don't understand and not providing all sorts of personal info just because the website is 'social'.
On the other hand, my Essex girl of years gone by got a degree in Mathematics and left me to become a software engineer in Germany.
Ah well.
Oh yeah, I was just reading that in China there is some legal action going on against Google, Samsung, and some others for all the spyware they put on phones.
Essex accents are way too easy. Just call everyone "Smiffy."
So I'll just use the great all-purpose idiom "blown away," which seems to fit the spirit of this security hole and the upcoming American holiday.
Final edit: I've been using this post as a testbed to see what I could sneak under the gate and luckily I haven't been able to circumvent the forum's script filter. Not to say it's impossible, but the best I could do was trigger arbitrary javascript when clicking "edit" on my own posts. Maybe this would apply to people quoting poisoned posts?
At any rate, in doing this investigation I found this large list of XSS techniques, some of which are laugh-out-loud funny in their deviousness.
Comments
This is good news!
Yes, it IS good news. I'm pleased to hear of it.
I would ask that other missing categories be reconsidered as well, including a Test category! As I noted in my previous post, the missing categories give the impression the company is no longer pursuing those products.
In other news, you guys are getting your knickers in a twist about all this embedded iframe and JavaScript stuff. The forum software -- like nearly all of them these days -- parses every character on output. I believe WordPress strips them out at the editor level, but many other CMS software keeps it, and blocks it when the page is emitted.
In another thread (please!) try creating a hidden DIV. Bet you can't do it, but if you can, be sure to report it.
(Incidentally, the weird formatting of my message was not my doing. I just typed out the text, and the font size changes happened on their own. This editor is very buggy. Isn't Heater a JavaScript expert? Maybe he'd revise the code for a free Parallax cap.)
Sorry for cluttering the thread. For sure we know input will be sanitized and/or escaped before going anyway near a DB or turning up as a posting. Question is how and how well?
Whilst I would love a Parallax cap I'm not available.
Now, the odd thing is that this edit box is cleditor which is a WYSIWYG editor for HTML. It is not suitable for a forum post editor.http://premiumsoftware.net/cleditor/
At least not out of the box. Seems it can be customized with plugins for whatever you want to do:http://premiumsoftware.net/cleditor/bbcodedemo
So there is hope of getting quote and code buttons back fairly painlessly.
Did you mean a hidden div Hellolike the ones in this post?
Gordon
All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy. All work and no play makes Jack a dull boy.
You've demonstrated you can effectively hide DIVs in the stream of the a text, where people could cram in all sorts of things. I'll leave it at that what all can be done with hidden DIVs. Suffice it to say, the issue could be exploited in ways that might expose us to risks. At the least, it allows spammers to abuse the forum.
I'm not a fan of a CMS that doesn't simply wash out the content before it's stored in the DB, because then there's no chance of the parser missing it. It looks like Vanilla keeps all the bad stuff in the hopes it's trapped out on output. Looks like they missed the memo that allowing DIVs with arbitrary styling is strictly verboten.
I'd recommend you start a new bug thread so Parallax is sure to see it.
And yeah, I agree, all work and no play makes Heater a mischievous boy.
Probably grounds for a forum banning.
Ah well.
You might have missed it, but there's also a DIV you created that is not being rendered. Use your browser to search for the word you put in it. Not found. No forum software should ever do that, Blackhat here I come!
Good point. Perhaps I should have shouted "WARNING GROSS SECURITY VULNERABILITY" instead.
Quite why there is a full scale WYSIWIG HTML editor with optional hack HTML directly feature used as an input box for forums posts is beyond me. It does not seem at all suitable.
Surely we are living in a world where people are used to BB codes, Markdown and so on.
You might have to spell out that missing div. I put 3 dodgy divs on this page and one on the bug report page. I can see them in the page source though is really hidden with display:none, which surprised me when it worked, and the other is hidden my virtue of having a white background.
Did you mean a hidden div [div style="display: none;"]Hello[/div']like the ones in this post?
You had me at Hello. That word is not rendered, but is still processed. SEs will see it, so it's good for spamming, at the least. This should NEVER, as in N-E-V-E-R be allowed.
Someone mentioned the forum allows hot-linking graphics from other places. Know any 1px GIFs from malware sites? The combination of image hotlinking and hidden DIVs is, shall we say, not a great combination.
Yep, drag-and-drop hotlinking of arbitrary images from arbitrary sites is allowed. Say hello to my little dog Rubie.
Your challenge was to hide a div in a post. Being a noob at this I started with the most obvious thing I could think off "display:none;". I was much surprised, well shocked, when that returned the div in the page source and it was hidden. "Can't be so easy, can it?" I thought.
Hot linking YouTube videos certainly works. Seems a link to ruby works as well.
It may not be what youall desire, but it will work and may actually be as good or better.
Instead of lobbying for Robotics Forums, why not just use TAGs to help everyone locate your Robotic threads?
It may not be what youall desire, but it will work and may actually be as good or better.
This option was mentioned earlier in the thread. As I mentioned previously, an earlier version of the forum used tags but the tags were later dropped. I recall one reason for dropping tags was not many people were using them.
Loopy, see my other posts on tags. But in recap: 1) Most posters don't bother to tag; 2) On forums that rely on tagging, moderators must do the work -- these forums tend to be ad-supported and heavily SEO-optimization (or they use automatic taggers, something you DO NOT want); 3) Categorizing is for the benefit of other readers. Without some type of overall organization the forum is difficult to browse.
Finally, and speaking as a webmaster myself, from a forum owner viewpoint using just tagging allows others to set the tone, message, and brand of your site. That works for some forums, but I'm not sure it's the answer here.
Perhaps "shocked" is too strong. I would avoid "gobsmacked", to me it sounds like an illiterate Essex girl. I'm old enough that I should probably say "flabbergasted". Or maybe I was just "mildly amused" at the incompetence of it all. I mean really, what I did there is the most basic simple thing.
What starts to be shocking is the realization that we have been creating forums and other such global web based software for decades now and still the most fundamental problems with input checking, sanitizing, escaping etc are with us.
Never mind the fact that I have never understood the logic behind the idea that when I visit site A that I perhaps know and trust, I end up running code from site B, C, D, E....that I know nothing about? That is all just crazy nuts.
Oddly it seems that browsers today will refuse to download data from off site locations, but still they will run JS from anywhere!
Is it so that it's actually impossible with the mess of HTML, Javascript, PHP, MySql, Unicode, and whatever else all mixed up in the pot?
Heater, you have a way of wandering quite afar in your contributions. Nonetheless, I do appreciate both you and Gordon bringing up your security concerns.
I am completely gobsmacked by how invasive my purchase of an Android 4.4 smart phone is. I have managed to hang back with an old clam shell cell phone until it was decrepit. Though I absolutely love the Chinese/English dictionary app -- I have begun to think someone might actually use the phone to follow me and do harm.
I hold with the idea that the best security is not participating in things you don't understand and not providing all sorts of personal info just because the website is 'social'.
Essex girls:http://www.srogers.com/comedy/essex.asp
http://www.nerdware.org/doc/essexgirls.html
http://www.telegraph.co.uk/news/uknews/7368909/What-is-an-Essex-Girl.html
On the other hand, my Essex girl of years gone by got a degree in Mathematics and left me to become a software engineer in Germany.
Ah well.
Oh yeah, I was just reading that in China there is some legal action going on against Google, Samsung, and some others for all the spyware they put on phones.
So I'll just use the great all-purpose idiom "blown away," which seems to fit the spirit of this security hole and the upcoming American holiday.
I'm with you brother!
Final edit: I've been using this post as a testbed to see what I could sneak under the gate and luckily I haven't been able to circumvent the forum's script filter. Not to say it's impossible, but the best I could do was trigger arbitrary javascript when clicking "edit" on my own posts. Maybe this would apply to people quoting poisoned posts?
At any rate, in doing this investigation I found this large list of XSS techniques, some of which are laugh-out-loud funny in their deviousness.