'age' exploit
Hey,
I found something that might be a XSS exploit (didn't try it) but worth reporting. When creating a new thread in the Slave/Master Area there is an "age" input. This has the readonly attribute so you cannot edit it. But when removing this readonly attribute or directly changing the value of the input client sided it will post that value to the server without validating it. This means people are able to change their age to whatever they like and maybe even to strings instead of an integer. Greetings, Azz |
I'd suggest emailing this directly to depp.
|
Quote:
|
Maybe one of you can point Depp to this thread? I've been member for a long time but never really been active so he'll probably ignore my private message.
|
Quote:
|
Thanks, Star Shadows
|
@Azz, false about Depp.
I reported the inappropriate adds that were on the site. (the ones that were showing full body coverage, no hiding anything) He cares about this site, and the last thing he wants is for it to be exploited and taken down by the Government for providing pornography for minors and allowing them access to explicit adult content. |
I'm investigating this issue now. I'll have it solved tonight. I need to sober up a bit first though :)
|
Before I respond to this issue let me say that the the Slave/Master posting form is not meant to be bullet proof. It's there to avoid 90% of the problems we had to deal with on a regular basis in the past.
I've investigated the problem and XSS is not possible in this instance. A knowledgeable user could game their age or change it to text but they would have to first be within the age range we allow (the form won't load if you are under 18) and their text would be properly escaped anyways (I verified this). It's also very likely someone would report them too. :) I'll investigate a hook location for doing one last validation pass but am not super concerned about people over 18 faking their age. I originally was going to let people edit it anyways. Also, please report vulnerabilities via PM. Posting issues that could have security ramifications here in the open forums is not cool. I know I'm not always super quick to respond but I do check my private messages for important communications. |
All times are GMT -7. The time now is 09:29 AM. |
Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2024, vBulletin Solutions Inc.