I was just wondering if MyBB is vulnerable to XSS exploit using the [IMG] tag, since noticing the use of editor.js javascript event handler to execute functions in the posting form using rich text editor?
I was just curious to know, since I've been hacked before using a different forum software though a different circumstance.
Could you please explain your idea further?
The latest release, 1.2.12, includes post key checks which will prevent CSRF/XSRF attacks.
MyBB, standard, doesn't have any rich text / WYSIWYG editor.
And how would linking to a Javascript via an image URL actually even allow it to be executed?
And CSRF/XSRF typically can't do much damage - it just forces a user to perform an action, with or without their knowledge.
Thanks for the reply. Otherwise its not an idea, but just a curiosity. Though I often wonder how secure using light markup language such as BBCode could be subject to injection. Neverless, its good to know that MyBB is not vulnerable to most exploits out there, as you mentioned.
cheers
bbCode? I'll admit that I have "exploited" badly written bbCode regexps on some boards in the past, but MyBB's appears to be fairly restrictive on the part.
Go ahead and try it if you want
EDIT: Oh, are you talking about some "client-side exploit" - ie stuffing up the Javascript? If that's the case, you can't call it an exploit, as the "attacker" is merely screwing up his own computer.
It seems I am getting scrutinized for my question asked. I am not questioning in a provocative manner, as you may think. Merely just curious to know, since I am not a coder. In the past, i've moderated a few boards like phpbb & punbb, and they both got hacked. So now I am looking for another forum software, something thats more secure then what I had in the past. That is why I had asked those questions. Like to thank you though, since now, you have helped in making my decision.
Sorry if I was sounding too scrutinizing - I really don't intend that to be.
From what I've seen from phpBB and PunBB, they both use correct regexps, so "CSS injection" shouldn't be an issue. I do know of a PunBB bbCode plugin, in which the author does not use proper regexps, allowing CSS injection.
As for XSRF, PunBB checks HTTP Referrers, which is usually quite effective. Dunno if phpBB has any such protection.
However, could you explain more about this "hacking"? Neither XSS nor CSS injections should pose much of a threat.
Did the attacker break into your AdminCP? Or change some content on your site?
Quote:As for XSRF, PunBB checks HTTP Referrers, which is usually quite effective. Dunno if phpBB has any such protection.
Still as ineffective because HTTP Referrers can be faked too.
Tikitiki Wrote:Quote:As for XSRF, PunBB checks HTTP Referrers, which is usually quite effective. Dunno if phpBB has any such protection.
Still as ineffective because HTTP Referrers can be faked too.
Generally, you wouldn't fake HTTP referrers on your own computer.
They can be faked, but the thing is, the attacker has to force
you to fake them - or do you know a way to force another user to fake their referrer?
ZiNga BuRgA Wrote:Tikitiki Wrote:Quote:As for XSRF, PunBB checks HTTP Referrers, which is usually quite effective. Dunno if phpBB has any such protection.
Still as ineffective because HTTP Referrers can be faked too.
Generally, you wouldn't fake HTTP referrers on your own computer.
They can be faked, but the thing is, the attacker has to force you to fake them - or do you know a way to force another user to fake their referrer?
I think what Tikitiki's was thinking of is for pages like "delete threads", etc, if this badly-written script checks the referrer, any knowledgeable malacious user can fake the header to get around that check.
As for the original question, if you are suggesting something like
[img]http://example.com/yourforum/moderation.php?action=deleteallthreads[/img]
the script is not exploitable in that fashion if you are running the latest version.
^ Yes, headers are very easy to fake - RefControl add-on for Firefox does it. However, the point is that it's difficult for an attacker to force you to fake the header.