HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Vanilla XSS Vulnerability

Hello, I have recently discovered a vulneribility which probably affects all versions of vanilla.

You are currently unable to send IFRAME tags in messages. Yet you are able to send OBJECT tags. This can be abused and may lead to pages being redirected to other websites.

Here's an example:

Hope this gets fixed before abuse occurs.

Thanks,

ConnorM

Comments

  • x00x00 MVP
    edited May 2013

    It doesn’t work cross domain in that way if you want to restrict this then you can block all object tag in htmLawed plugin.

    grep is your friend.

  • Personally I'm in favour of blocking it anyway. However i don't think they were unaware the enabled it.

    grep is your friend.

  • @x00 said:
    Personally I'm in favour of blocking it anyway. However i don't think they were unaware the enabled it.

    Yes the OBJECT tag should be blocked by default.

  • grep is your friend.

  • x00x00 MVP
    edited May 2013

    for html it not an issue, the only embed type allowed is flash, which does carry some risk. if you want to remove it

    comment out this line

    $Spec = 'object=-classid-type, -codebase; embed=type(oneof=application/x-shockwave-flash)';

    and put

    $Spec = '';

    in the htmlawed plugin.

    grep is your friend.

  • I missed something you need to replace

    'elements' => '*-applet-form-input-textarea-iframe-script-style', // object, embed allowed

    with

    'elements' => '*-applet-form-input-textarea-iframe-script-style-object-embed',

    grep is your friend.

  • @x00 said:
    why not open up an issue?

    https://github.com/vanillaforums/Garden/issues

    I did not see a link to this on the site as an issue tracker. Thanks for the info.

    Dave.

  • @dneary said:

    I did not see a link to this on the site as an issue tracker. Thanks for the info.

    Dave.

    fourth item down on this page http://vanillaforums.org/docs

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

Sign In or Register to comment.