Fixed Bypassing signature BB tags limit (like img, url, media, etc)

akaluth

akaluth

New member
This is the English version of my July 29’th article, which you can read in Russian here. And sorry for my awesome English.

1. Methods of BB-Tags limitation bypass:

Bypassing images limit:
Code: 
    [url=http://linktoanywhere.somewhere][img[media=youtube]123[/media]]image url[/img][/url]
    Method #1

    [url=http://linktoanywhere.somewhere][img[font=123][/font]]image url[/img][/url]
    Method #2

    [code][img]image url[/img]{/code] (replace { with [, required only there)
    Method #3

2. But how?

I think it’s because of xenforo’s bb codes parsing order. It looks like that:

  1. Counting img, url, email tags
  2. Merging count with permissions, if error - stop and write error message
  3. Removing prohibited tags (like media or font tags)
  4. Render BB to HTML
Both methods is based on xenforo BB parser, that counts tags before render:

Methods 1 and 2 is based on “breaking” tag “img” with limited “media” or “font” tags, that just will be removed before rendering (but after counting “img” tags). Third method similar, but tag content won’t get removed.

3. Ok, but how to fix it?

I’m not quite into PHP, so only jQuery fix and text description:

  1. Method one: count img, url and email tags while rendering them in html
  2. Limit images in signature via CSS
  3. Remove images and iframes from signature via jQuery: PasteBin
Originally posted in my blog

As example you can view my signature
 
I have confirmed this. It's not a security issue in parsing or anything like that. It's specific to the behavior we have with signatures where, as a convenience, we try to remove disallowed tags rather than erroring. That leads to a situation where the result parses differently; you can still only use what is allowed by BB code, which is only "safe" code. It doesn't allow any code leaking or for them to do anything they couldn't do in a post.

It does allow you to use the disallowed tags to potentially bypass that in a signature as demonstrated here. I am currently looking into a fix for the next release. If someone were to do this on your forum, it's really just them trolling and you should take moderation action just like someone bypassing the censoring rules.
 
This is fixed now for the next release (and the next 1.3 release, if deemed necessary).

It will do one pass where it strips any disabled tags. This is still done mostly to handle things like links being inserted automatically. If it detects that it stripped any code, it will do a second pass where it doesn't strip disabled tags and uses that for error detections.
 
Mike said:
This is fixed now for the next release (and the next 1.3 release, if deemed necessary).

It will do one pass where it strips any disabled tags. This is still done mostly to handle things like links being inserted automatically. If it detects that it stripped any code, it will do a second pass where it doesn't strip disabled tags and uses that for error detections.
Click to expand...
Nice, thank you!
 
Back
Top Bottom