Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

XSS

Comments

  • Closed Accounts Posts: 619 ✭✭✭Boards.ie: Paddy


    Thank you for bringing this to our attention. The problem was caused by the way posts are stored in our SOLR cluster. We have fixed the vulnerability in the search front-end as of 5.30 today. We are also working to resolve the issue with how posts are stored in SOLR to ensure we have defense in depth against this type of issue in the future. We have also reviewed all posts made since the current search system went live and have not found any instances where this injection has occurred in the past.

    Again, thank you sincerely for bringing this to our attention.


  • Closed Accounts Posts: 2,696 ✭✭✭mark renton


    Yiz need to keep an eye on that Damo fella ladz


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    No problem. Thoes couple of posts I hightlighted to you in a PM Neil I guess can be deleted to prevent others from ideas until you are sure this is covered from all angles.


  • Closed Accounts Posts: 2,696 ✭✭✭mark renton


    By the way - what is Boards policy on people having a hack??


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    Not sure, but this bug was found by accident based on another users post, which was unrelated to xss on boards.ie, but yet triggered a flaw in the search module.

    There was no unwanted pentest performed.


  • Advertisement
  • Closed Accounts Posts: 3,609 ✭✭✭Boards.ie: Danny


    john47832 wrote: »
    By the way - what is Boards policy on people having a hack??

    Responsible disclosure is always welcome, when this came to our attention we dealt with it as a #1 priority. Speaking for myself, I'm a little concerned that it was sitting here for about 25 minutes before we noticed. There might be something else we can come up with to get this stuff to us faster, then again it could be just a case that I need to turn on instant notifications for the forum :)

    My own personal take on stuff like this is if I look in the logs for stuff a reporter did and see things they didn't own up to, or things that were unnecessary to prove the exploit, or that they were involved in any invasion of privacy etc then at the very least they'll have a permanent site ban issued, anything else such as charges being brought against them for unauthorised access of a restricted system would be a matter for Dav and the other folks higher up.

    A white hat is a good thing, a grey/black hat not so much


  • Closed Accounts Posts: 619 ✭✭✭Boards.ie: Paddy


    Just to throw my two cent in here. An issue like this is probably a perfect case for sending someone from the dev team a quick PM. I know we say we ignore unsolicited PMs but we won't ignore this sort of thing. I'd prefer to get a PM about it than to have details sitting out in the open for someone dishonest to see.

    As for our policy on people pen testing us, I don't have any problem with it. My philosophy on it is that every system has security vulnerabilities and if someone wants to search for them for me for free that's great, just so long as they don't impact service or invade other members privacy. I would also expect full disclosure on any issues found, preferably in private so that we can fix the issue before anyone else knows about it. Once the issue is fixed we're happy to give you your bragging rights. :)

    Obviously enough not disclosing something, or engaging in theft of personal data is something we take very seriously. We have in the past and will in the future pursue people to the full extent of the law.

    Also if we notice anything dodgy originating from your IP there's every chance we'll sin bin you for anything up to a couple of weeks. But that just keeps it interesting I suppose!


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    Just to throw my two cent in here. An issue like this is probably a perfect case for sending someone from the dev team a quick PM. I know we say we ignore unsolicited PMs but we won't ignore this sort of thing. I'd prefer to get a PM about it than to have details sitting out in the open for someone dishonest to see.

    As for our policy on people pen testing us, I don't have any problem with it. My philosophy on it is that every system has security vulnerabilities and if someone wants to search for them for me for free that's great, just so long as they don't impact service or invade other members privacy. I would also expect full disclosure on any issues found, preferably in private so that we can fix the issue before anyone else knows about it. Once the issue is fixed we're happy to give you your bragging rights. :)

    Obviously enough not disclosing something, or engaging in theft of personal data is something we take very seriously. We have in the past and will in the future pursue people to the full extent of the law.

    Also if we notice anything dodgy originating from your IP there's every chance we'll sin bin you for anything up to a couple of weeks. But that just keeps it interesting I suppose!

    Yes I should have sent a PM but I though it may have gone unnoticed/ignored.

    Also, just so everyone is clear. There was NO pen-test/bug hunt executed here. No vulnerability scans or undesirable traffic sent to the server. I noticed by viewing a users profile/previous post, that content in their post triggered a flaw in the search module (not on purpose by them). I tried to reproduce the bug myself, which happens was reproducible, and so reported it here.

    This one had potential to be nasty. If someone visited a users tainted post history, you could have code executed on client side, and due to the nature of this one, XSS safety mechanisms in Chrome, Internet explorer, and a Firefox's add-on "no-script" didn't prevent this XSS. The XSS was generated at server side, rather than the client been tricked into submitting/clicking on XSS material. Someone could have crafted an XSS to steal your boards.ie cookie, and immediately used your logged-in session to spam or whatever they want to do. Or they could have re-directed you to another URL. You see how bad things can get with stuff like this in the wrong hands.


  • Closed Accounts Posts: 3,609 ✭✭✭Boards.ie: Danny


    Yes I should have sent a PM but I though it may have gone unnoticed/ignored.

    I'll be honest, I read everything sent to my inbox :) A lot of it is random stuff like "Please help me do X on boards" or community issues and those get ignored. Legitimate security concerns/flaws will always be acted upon.

    For the best chance of quick action in the future, make sure to send the PM to the whole tech team and not just one or two of us :) The tech team are Paddy, Rónán, Ciaran, Neil & myself.


  • Closed Accounts Posts: 503 ✭✭✭Boards.ie: Neil


    Ditto with what Danny said, The sig is to keep away "the not important but i could probably sink a good few hours into" stuff, but everything is read :).


  • Advertisement
  • Closed Accounts Posts: 8,840 ✭✭✭Dav


    Also, I just wanna say thank you for letting us know Damo, it's hugely appreciated.


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    Its probably a good idea in general to use PHP functions htmlentities() and htmlspecialchars() if not already done so, therefore the posters original text is intact, however its not intercepted as the page's HTML, but rather as plain-text on the page itself.


  • Registered Users, Registered Users 2 Posts: 367 ✭✭900913


    Its not resolved.

    Stored XSS in Boards.ie
    http://www.boards.ie/vbulletin/showthread.php?t=2056586246

    Theres also a reflected xss in site.


  • Closed Accounts Posts: 3,609 ✭✭✭Boards.ie: Danny


    900913 wrote: »
    Its not resolved.

    Stored XSS in Boards.ie
    http://www.boards.ie/vbulletin/showthread.php?t=2056586246

    Theres also a reflected xss in site.

    Hi,

    Thanks for bringing this to our attention. Can you please forward on all relevant details to us such as the post with your XSS via Private Message to the Tech Team as per the recommendations above?

    Thanks,

    Danny


  • Closed Accounts Posts: 3,609 ✭✭✭Boards.ie: Danny


    Just an update to this issue:

    We were notified of the existence of a reflected XSS vulnerability by user 900913 They also reported that the stored XSS vulnerability wasn't fully patched. Both issues were reported around 10pm on Saturday. As of yesterday morning the stored XSS issue was fixed and by yesterday evening the reflected XSS issue was patched.

    Having audited the search logs we've concluded that neither of these security holes were exploited for nefarious reasons.

    Once again we'd like to thank 900913 for responsible disclosure of this issue and assistance in its resolution, it is very much appreciated.


Leave a Comment

Rich Text Editor. To edit a paragraph's style, hit tab to get to the paragraph menu. From there you will be able to pick one style. Nothing defaults to paragraph. An inline formatting menu will show up when you select text. Hit tab to get into that menu. Some elements, such as rich link embeds, images, loading indicators, and error messages may get inserted into the editor. You may navigate to these using the arrow keys inside of the editor and delete them with the delete or backspace key.

Advertisement