Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
XSS
Options
-
20-03-2012 5:42pm#1
Comments
-
-
-
-
-
-
Advertisement
-
By the way - what is Boards policy on people having a hack??
Responsible disclosure is always welcome, when this came to our attention we dealt with it as a #1 priority. Speaking for myself, I'm a little concerned that it was sitting here for about 25 minutes before we noticed. There might be something else we can come up with to get this stuff to us faster, then again it could be just a case that I need to turn on instant notifications for the forum
My own personal take on stuff like this is if I look in the logs for stuff a reporter did and see things they didn't own up to, or things that were unnecessary to prove the exploit, or that they were involved in any invasion of privacy etc then at the very least they'll have a permanent site ban issued, anything else such as charges being brought against them for unauthorised access of a restricted system would be a matter for Dav and the other folks higher up.
A white hat is a good thing, a grey/black hat not so much0 -
Just to throw my two cent in here. An issue like this is probably a perfect case for sending someone from the dev team a quick PM. I know we say we ignore unsolicited PMs but we won't ignore this sort of thing. I'd prefer to get a PM about it than to have details sitting out in the open for someone dishonest to see.
As for our policy on people pen testing us, I don't have any problem with it. My philosophy on it is that every system has security vulnerabilities and if someone wants to search for them for me for free that's great, just so long as they don't impact service or invade other members privacy. I would also expect full disclosure on any issues found, preferably in private so that we can fix the issue before anyone else knows about it. Once the issue is fixed we're happy to give you your bragging rights.
Obviously enough not disclosing something, or engaging in theft of personal data is something we take very seriously. We have in the past and will in the future pursue people to the full extent of the law.
Also if we notice anything dodgy originating from your IP there's every chance we'll sin bin you for anything up to a couple of weeks. But that just keeps it interesting I suppose!0 -
Boards.ie: Paddy wrote: »Just to throw my two cent in here. An issue like this is probably a perfect case for sending someone from the dev team a quick PM. I know we say we ignore unsolicited PMs but we won't ignore this sort of thing. I'd prefer to get a PM about it than to have details sitting out in the open for someone dishonest to see.
As for our policy on people pen testing us, I don't have any problem with it. My philosophy on it is that every system has security vulnerabilities and if someone wants to search for them for me for free that's great, just so long as they don't impact service or invade other members privacy. I would also expect full disclosure on any issues found, preferably in private so that we can fix the issue before anyone else knows about it. Once the issue is fixed we're happy to give you your bragging rights.
Obviously enough not disclosing something, or engaging in theft of personal data is something we take very seriously. We have in the past and will in the future pursue people to the full extent of the law.
Also if we notice anything dodgy originating from your IP there's every chance we'll sin bin you for anything up to a couple of weeks. But that just keeps it interesting I suppose!
Yes I should have sent a PM but I though it may have gone unnoticed/ignored.
Also, just so everyone is clear. There was NO pen-test/bug hunt executed here. No vulnerability scans or undesirable traffic sent to the server. I noticed by viewing a users profile/previous post, that content in their post triggered a flaw in the search module (not on purpose by them). I tried to reproduce the bug myself, which happens was reproducible, and so reported it here.
This one had potential to be nasty. If someone visited a users tainted post history, you could have code executed on client side, and due to the nature of this one, XSS safety mechanisms in Chrome, Internet explorer, and a Firefox's add-on "no-script" didn't prevent this XSS. The XSS was generated at server side, rather than the client been tricked into submitting/clicking on XSS material. Someone could have crafted an XSS to steal your boards.ie cookie, and immediately used your logged-in session to spam or whatever they want to do. Or they could have re-directed you to another URL. You see how bad things can get with stuff like this in the wrong hands.0 -
Elizabeth Magnificent Root wrote: »Yes I should have sent a PM but I though it may have gone unnoticed/ignored.
I'll be honest, I read everything sent to my inbox A lot of it is random stuff like "Please help me do X on boards" or community issues and those get ignored. Legitimate security concerns/flaws will always be acted upon.
For the best chance of quick action in the future, make sure to send the PM to the whole tech team and not just one or two of us The tech team are Paddy, Rónán, Ciaran, Neil & myself. 0 -
-
Advertisement
-
-
-
-
-
Leave a Comment
Advertisement