Vanilla XSS Vulnerability

ConnorM

Hello, I have recently discovered a vulneribility which probably affects all versions of vanilla.

You are currently unable to send IFRAME tags in messages. Yet you are able to send OBJECT tags. This can be abused and may lead to pages being redirected to other websites.

Here's an example:

Hope this gets fixed before abuse occurs.

Thanks,

ConnorM

x00

It doesn’t work cross domain in that way if you want to restrict this then you can block all object tag in htmLawed plugin.

x00

Personally I'm in favour of blocking it anyway. However i don't think they were unaware the enabled it.

ConnorM

@x00 said:
Personally I'm in favour of blocking it anyway. However i don't think they were unaware the enabled it.

Yes the OBJECT tag should be blocked by default.

x00

why not open up an issue?

https://github.com/vanillaforums/Garden/issues

x00

for html it not an issue, the only embed type allowed is flash, which does carry some risk. if you want to remove it

comment out this line

$Spec = 'object=-classid-type, -codebase; embed=type(oneof=application/x-shockwave-flash)';

and put

$Spec = '';

in the htmlawed plugin.

x00

I missed something you need to replace

'elements' => '*-applet-form-input-textarea-iframe-script-style', // object, embed allowed

with

'elements' => '*-applet-form-input-textarea-iframe-script-style-object-embed',

dneary

@x00 said:
why not open up an issue?

https://github.com/vanillaforums/Garden/issues

I did not see a link to this on the site as an issue tracker. Thanks for the info.

Dave.

peregrine

@dneary said:

I did not see a link to this on the site as an issue tracker. Thanks for the info.

Dave.

fourth item down on this page http://vanillaforums.org/docs