Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
JS injection using BBcode.
Hi everyone.
I would like to prevent you that there are some security issues allowing users to use BBCode extension. In fact, the problem is that the string is not correctly parsed when inserting images (and links), which may allows someone to add some javascript actions, flash or wathever he wants.
Here is a trivial exemple of what could be done:
[img]http://www.somewebsite.com/image.png" onload="javascript:alert('hello world')[/img]
This will show the image and display a pop-up saying 'hello world', nothing dangerous, but it could be really a big hole, allowing users to steal passwords of the others.
My suggestion, for the moment, is to disable this extension while a better parsing is founded.
Cheers,
gizmo
0
This discussion has been closed.
Comments