User Controls

Somehow i can't reply in my ATTN: Lanny thread.

  1. #1
    Sophie Pedophile Tech Support
    Anyway.

    So the immediate answer is that it was the extension. If you happen to have a copy of vB5 you can see where it errors out in `VB_ROOT/core/includes/class_upload.php`, line 176. But you could just pick a different extension of course, this early error-out is just there to save transferring a large file just to reject it later. The larger security approach here is that only files with appropriate extensions can be uploaded and any file with one of those extensions is flagged to be served as a static (that is directly transmitted to the client, without invoking the PHP interpreter) so even if you get some custom script uploaded it will only be transferred as a literal file without ever running on the server.

    Ooo, that's a pretty good security practice. One thing though, i did try to upload my shell with double extensions shell.php.jpg and with null characters and forbidden character inbetween which not seemed to work.

    Two things I would think a blackhat would need to look out for is a mismatch between the upload whitelist and the "serve as static list". The former is encoded in that file I mentioned before, in the `is_valid_extension` method and the latter in the .htaccess files. A dev could add something to the former but not that latter and that could be a vulnerability.

    Good thinking, this is why having sauce code is always good for finding these things out.
    Alternatively some files like javascript are transferred as statics (the server never executes them) but can still be damaging if a client loads them, it's a possible vector for XSS. You have to weasel as `
    Somehow your quote stopped mid-sentecne but yeah, i should probably familiarize myself with a bit of malicious javascript.

  2. #2
    I'm having the same problem. Oddly the page cuts out the space between lannys last post and the theme chooser.
  3. #3
    Sophie Pedophile Tech Support
    I'm having the same problem. Oddly the page cuts out the space between lannys last post and the theme chooser.

    Lanny broke the internet. Feel free to post your response in this thread in the meantime, Lan Lan can merge them later if he wants.
  4. #4
    -SpectraL coward [the spuriously bluish-lilac bushman]
    It's a token issue.
  5. #5
    It's a token issue.
    I knew, 7 hours ago, that at some point you would sound of with some obscure outdated reference to a buzzword you had read and not comprehend.
  6. #6
    Lanny Bird of Courage
    Huh, that's interesting. And by interesting I mean retarded. Apparently accounts with the superuser flag don't get their post text sanitized for markup like everyone else. What I posted was "[LESSTHAN]script src="..."[GREATERTHAN]" so when you load the page it interprets everything following it as part of a severely malformed script. Yeah, pretty dumb.

    Also lol@"token issue"
  7. #7
    Lanny Bird of Courage
    Somehow your quote stopped mid-sentecne but yeah, i should probably familiarize myself with a bit of malicious javascript.

    Alternatively some files like javascript are transferred as statics (the server never executes them) but can still be damaging if a client loads them, it's a possible vector for XSS. You have to weasel as script tag into a page somehow and that may be possible with a script hosted by me rather than remotely but I can't think of a way to do it (it's possible url construction is non-unique, I've seen that used before, like user files are hosted from `/` (if not in the actual filesystem, in the URL mapping layer) so if a user uploads like "index.html" then requests to `/index.html` could be routed to the statics first and allow for XSS. Building urls like that would be considered a fairly novice mistake but it still happens). But then maybe that's why I'm not a security professional.

    Here's the rest of what I wrote, like I said, script issue. Since the edit button is getting gobbled up by that stupid unsanitized script tag I have to unfuck it in the database itself and I'm a little to drunk to work on a production DB at the moment so I'll fix that and merge this and that thread tomorrow. Sorry for the inconvenience.
  8. #8
    Lanny Bird of Courage
    Ugh, accidentally edited OP instead of making a post. This is what I was saying about databases and drinking.
  9. #9
    Sophie Pedophile Tech Support
    Kek, this thread is fine now. Also, lol at unsanitized super user input. Thanks for the rest of the reply.
  10. #10
    Bradley Florida Man
    Attention
Jump to Top