2014-08-30, 04:48 PM
2014-08-31, 12:26 AM
It actually doesn't, HTML gets parsed out before the MyCode is parsed (class_parser.php ln 133-147 and 177) making the output this:
That said, plugins that use the parse_message_end hook and a (.*?) can result in problems.
<i class="fa fa-exclamation-triangle"><script>alert("Evil code goes here...");</script><i class="fa fa-exclamation-triangle"></i>
That said, plugins that use the parse_message_end hook and a (.*?) can result in problems.
2014-08-31, 08:55 AM
Oh, thanks for that. Nevertheless the following should work
[icon]exclamation-triangle" onload="alert('Evil code goes here...');[/icon]
which would produce:<i class="fa fa-exclamation-triangle" onload="alert('Evil code goes here...');"></i>
2014-08-31, 09:32 AM
Nope.
<i class="fa fa-exclamation-triangle" o<strong></strong>nload="alert('Evil code goes here...');"></i>
2014-08-31, 10:11 AM
Oh O.O? IIRC the MyCode system was vulnerable to that kind of attach since long before 1.8 was on the makings..
Lets see if I can break this down..
Lets see if I can break this down..
2014-08-31, 10:16 AM
I can't get on PC to look through code currently. But something seems to kind-of escape it
EDIT: a MyCode vuln was fixed in 1.6.15. Maybe this?
EDIT: a MyCode vuln was fixed in 1.6.15. Maybe this?
2014-08-31, 10:30 AM
Try:
Good enough the editor will stand out, unless you put z-index in there
The following will only work in the ACP sandbox:
Most MyCodes are sensible to this kind of "attacks".
@nth No sure THB
[icon]" style="background: red; width: 1000%; height: 1000%; color: green !important;font-size:100% !important;position:absolute;top:0;left:0;float:left;">Hellow World!<[/icon]
Good enough the editor will stand out, unless you put z-index in there
The following will only work in the ACP sandbox:
[icon]"><script>
alert("Hellow World!");
</script><[/icon]
Most MyCodes are sensible to this kind of "attacks".
@nth No sure THB
2014-08-31, 10:34 AM
https://github.com/mybb/mybb/blob/e74ffe...r.php#L601 class_parser.php has a function to strip most (well, probably all) javascript thingies.
2014-08-31, 10:38 AM
Users can still insert pretty much any HTML there. I'm too tired to check if that is still possible though, so don't take me for granted.
2014-08-31, 12:23 PM
Ah yeah, html works. Will look into it tomorrow though.