getDare Truth or Dare

getDare Truth or Dare (https://www.getdare.com/bbs/index.php)
-   getDare.com (https://www.getdare.com/bbs/forumdisplay.php?f=9)
-   -   'age' exploit (https://www.getdare.com/bbs/showthread.php?t=76016)

Azz 05-11-2011 08:49 AM
'age' exploit
 
Hey,

I found something that might be a XSS exploit (didn't try it) but worth reporting. When creating a new thread in the Slave/Master Area there is an "age" input. This has the readonly attribute so you cannot edit it. But when removing this readonly attribute or directly changing the value of the input client sided it will post that value to the server without validating it.

This means people are able to change their age to whatever they like and maybe even to strings instead of an integer.

Greetings,
Azz

Stardares 05-11-2011 09:12 AM
I'd suggest emailing this directly to depp.

Star Shadows 05-11-2011 09:33 AM
Quote:
Originally Posted by Stardares (Post 454994)
I'd suggest emailing this directly to depp.
Yea I'd suggest emailing depp to see if he can fix it

Azz 05-11-2011 11:02 AM
Maybe one of you can point Depp to this thread? I've been member for a long time but never really been active so he'll probably ignore my private message.

Star Shadows 05-11-2011 12:38 PM
Quote:
Originally Posted by Azz (Post 455047)
Maybe one of you can point Depp to this thread? I've been member for a long time but never really been active so he'll probably ignore my private message.
I am sure he wouldn't he takes matters like this seriously however I will pass this message along for you

Azz 05-11-2011 01:37 PM
Thanks, Star Shadows

chubbsman7 05-11-2011 01:59 PM
@Azz, false about Depp.

I reported the inappropriate adds that were on the site. (the ones that were showing full body coverage, no hiding anything)

He cares about this site, and the last thing he wants is for it to be exploited and taken down by the Government for providing pornography for minors and allowing them access to explicit adult content.

depp 05-11-2011 08:35 PM
I'm investigating this issue now. I'll have it solved tonight. I need to sober up a bit first though :)

depp 05-11-2011 09:46 PM
Before I respond to this issue let me say that the the Slave/Master posting form is not meant to be bullet proof. It's there to avoid 90% of the problems we had to deal with on a regular basis in the past.

I've investigated the problem and XSS is not possible in this instance. A knowledgeable user could game their age or change it to text but they would have to first be within the age range we allow (the form won't load if you are under 18) and their text would be properly escaped anyways (I verified this). It's also very likely someone would report them too. :)

I'll investigate a hook location for doing one last validation pass but am not super concerned about people over 18 faking their age. I originally was going to let people edit it anyways.

Also, please report vulnerabilities via PM. Posting issues that could have security ramifications here in the open forums is not cool. I know I'm not always super quick to respond but I do check my private messages for important communications.


All times are GMT -7. The time now is 09:29 AM.

Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2024, vBulletin Solutions Inc.