The forum of the forums
Welcome to the Official Support Forum of Forumotion!

To take full advantage of everything offered by our forum, please log in if you are already a member, or join our community if you've not yet.



Create a free forum like this one.

Better protection against XSS

View previous topic View next topic Go down

Better protection?

100% 100% 
[ 4 ]
0% 0% 
[ 0 ]
 
Total Votes : 4

Better protection against XSS

Post by Kiekeboe on December 25th 2009, 3:29 pm

Hey,

I have a Dutch forum, and there was a hacker. So i contacted him and e-mailed him some questions.
He said that he wanted to get our attention to make our forum safer. Also he said that he could execute Javascript. So XSS will work on your forum if HTML is enabled. I lurned a bit about XSS and tried it myself. And it worked. Now, it's not my goal to crack all your forums, but it actually worked to get my own password with XSS! So, isn't it an option to secure our forums better against XSS?

xxx


Last edited by Kiekeboe on December 26th 2009, 12:02 am; edited 1 time in total

Kiekeboe
Forumember

Female Posts : 250
Reputation : -1
Language : Dutch, english, german and a little bit french, guitar chords, html, a bit CSS
Location : Maastricht (Holland)

http://wolfstory.clicboard.com

Back to top Go down

Re: Better protection against XSS

Post by Sk9 on December 25th 2009, 7:04 pm

There's also someone who's been hacking into users accounts on fujiplanet.net

Sk9
Forumember

Male Posts : 136
Reputation : 0
Language : English, Spanish, HTML
Location : Hawaii

http://fujiplanet.net

Back to top Go down

Re: Better protection against XSS

Post by Kiekeboe on December 25th 2009, 7:16 pm

I don't know who's hacking, but i do know that Forumotion needs to secure forums for this.

Kiekeboe
Forumember

Female Posts : 250
Reputation : -1
Language : Dutch, english, german and a little bit french, guitar chords, html, a bit CSS
Location : Maastricht (Holland)

http://wolfstory.clicboard.com

Back to top Go down

Re: Better protection against XSS

Post by Darren1 on December 25th 2009, 11:15 pm

It's simple java to create the codes to unlawfully fain access to certain things in people/s account/s.

Could you please add a poll so that we can vote, as this is something we should have Wink

Darren1
Helper
Helper

Male Posts : 11853
Reputation : 563
Language : English

Back to top Go down

Re: Better protection against XSS

Post by Rok on December 25th 2009, 11:29 pm

Typlo recently cleared up another way to hack where a user could embed a simple script in his/her profile, and whoever he gets to view his profile, he automatically retrieves that uers(s)'s account info such as the password. An old forum that I knew called TeenChill got destroyed the same way - a dumbass member named 'Oliver' PMed the owner of TeenChill, and asked him if he could please click on a like that would send the owner to a site... so, the owner clicked on the link to the site, and Oliver received the owner's account info, got into the owner's account, and deleted his forum.
The best way is to just ignore any user that gives you a link to a site and kindly asks you to click it. If there was a user on your forum who seems like a nice guy and appears to be asking if you could click on a link that's on YOUR forum, then it could still be a trick... The best way to avoid something like that is hover your cursor over any link (whether it's a link to a thread that's found on your forum or a link that links to an off-forum site), and then view the address that pops up at the bottom of the window, and check to see if the link is trusted to click on. For example, hover over this link and view the address that pops up at the bottom of the window:
Bob Marley's Music Store
As you can see, the link doesn't direct to any Bob Marley site or music site... the link is actually a link to a thread here on the support forum. See how easy it is to cover up links?

Anyway, I agree with Darren. Add a Yes / No poll so we can vote.

Rok
Energetic

Male Posts : 6823
Reputation : 231
Language : idk

Back to top Go down

Re: Better protection against XSS

Post by Kiekeboe on December 26th 2009, 12:09 am

Poll added, thanx for the info Rok!
Actually i was a member of Teenchill, but my account got 'deleted' like 10 times...

Kiekeboe
Forumember

Female Posts : 250
Reputation : -1
Language : Dutch, english, german and a little bit french, guitar chords, html, a bit CSS
Location : Maastricht (Holland)

http://wolfstory.clicboard.com

Back to top Go down

Re: Better protection against XSS

Post by Darren1 on December 26th 2009, 12:13 am

Kiekeboe, I too was a member on TeenChill, and it was Oliver who has unlawfully hacked & destroyed TC, he has also created a 'back door' so he can destroy the forum as soon as it's restored

Again, it was simple JavaScript used, with a little bit of XSS added in.

I'm voting yes Wink

Darren1
Helper
Helper

Male Posts : 11853
Reputation : 563
Language : English

Back to top Go down

Re: Better protection against XSS

Post by Kiekeboe on December 26th 2009, 12:16 am

I also voted yes (ofcourse Rolling Eyes)
Yes, it's very strange how a bit of plain text and a bit of knowledge kan destroy a whole site...
If the person who cracked TC sees this:
Beg me pardon, but your a pathetic person...

Kiekeboe
Forumember

Female Posts : 250
Reputation : -1
Language : Dutch, english, german and a little bit french, guitar chords, html, a bit CSS
Location : Maastricht (Holland)

http://wolfstory.clicboard.com

Back to top Go down

Re: Better protection against XSS

Post by Doctor Inferno on December 26th 2009, 3:58 am

Won't disabling HTML solve the problem?

By the way, if Forumotion wants to solve this, they could let us set only the type HTML tags we allow in posts etc.

Doctor Inferno
Active Poster

Male Posts : 1331
Reputation : 30
Language : GeekPolice
Location : Singapore

http://www.GeekPolice.net

Back to top Go down

Re: Better protection against XSS

Post by Master Marc on December 26th 2009, 4:18 am

@Doctor Inferno wrote:By the way, if Forumotion wants to solve this, they could let us set only the type HTML tags we allow in posts etc.
This was one of my suggestions that I wanted to post, but did not have the time and I keep forgetting about it. Or, at least allow administrators alone to use html, but that will be a problem, so allowing administrators to allow only certain html codes is the best way, Very good

Master Marc
Hyperactive

Male Posts : 3661
Reputation : 46
Language : English and Spanish.

Back to top Go down

Re: Better protection against XSS

Post by Jophy on April 16th 2013, 8:33 am

Suggestion Clean up

-> Old suggestions(Please feel to create a new thread for the garbaged old suggestions)
-> Implemented suggestions
-> Suggestions which are currently suggested (Please use the SEARCH function)
-> Suggestions which are already possible
-> Unclear Suggestions

=> Please read the guidelines for the suggestion section: http://help.forumotion.com/t93899-suggestions-for-your-forums-how-to
=> Please take a look on the frequently suggested features for your forums:
http://help.forumotion.com/t79095-frequently-requested-suggestions-for-your-forums

Locked & Garbaged

Jophy

Jophy
ForumGuru

Male Posts : 17924
Reputation : 835
Language : English
Location : Somewhere

Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum