MyBB Community Forums
[Security] Custom Profile Fields tutorial vulnerable to STORED XSS - Printable Version

+- MyBB Community Forums (https://community.mybb.com)
+-- Forum: 1.8 Support (https://community.mybb.com/forum-175.html)
+--- Forum: General Support (https://community.mybb.com/forum-176.html)
+--- Thread: [Security] Custom Profile Fields tutorial vulnerable to STORED XSS (/thread-234648.html)

Custom Profile Fields tutorial vulnerable to STORED XSS - Noter33 - 2022-01-09

I used this tutorial for my forum in order to let users add their custom background image on their threads/posts.

The tutorial is using only simple regex as "security"
A simple bypass xss bypass is just to add near the video source an xss payload like : https://i.imgur.com/ka73p3w.gif"><script>alert()</script>

The thread is not talking about any template conditionals "safety" as Omar is explaining here : https://community.mybb.com/thread-215732.html

I took down the custom fields from my forum but I want somehow to get em back in a secure way , can someone help me with that ? I don't understand how should I encode the value used by the user in the vulnerable field
How can I encode the input ?

RE: Custom Profile Fields tutorial vulnerable to STORED XSS - Crazycat - 2022-01-09

I submit a modification of the regexp in the tutorial

RE: Custom Profile Fields tutorial vulnerable to STORED XSS - Noter33 - 2022-01-09

(2022-01-09, 05:58 PM)Crazycat Wrote: I submit a modification of the regexp in the tutorial

REGEX is not XSS security , every regex you would use there is inefficient there will be always a bypass

RE: Custom Profile Fields tutorial vulnerable to STORED XSS - Crazycat - 2022-01-09

(2022-01-09, 06:03 PM)Noter33 Wrote:
(2022-01-09, 05:58 PM)Crazycat Wrote: I submit a modification of the regexp in the tutorial

REGEX is not XSS security , every regex you would use there is inefficient there will be always a bypass

The regex will validate (or refuse) the value given. That's the better way (not the best) to limit risks.
If you don't want any risk, do not allow external contents or anything you cannot really trust in custom fields, or better don't use custom field.