• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Not a bug User being able to exceed the Word Count Limit

faeronsayn

Well-known member
#1
One of my users was able to bypass the word count limit or character count limit of like 10 000.

I later asked him how he did it and this is what he told me

I used the firefox addon Live Http headers, to edit the POST request and send it directly to an url like this:
ex:
http://www.domainname.com/posts/151537/save-inline

and this is the POST request when you edit a post

message_html=<p> This Is What My Post Will Look Like </p>
&_xfRelativeResolver=http://www.domainname.com/threads/t...2535f4533944ce01f41d81d5&_xfResponseType=json

each post has the "save-inline" thing for editing it, so I edited mine to send a message bigger than allowed and sent the POST request directly to it, try finding out which file it uses to do the "save-inline" function and editing it so it checks the "message_html" size.


 

Adam Howard

Well-known member
#2
Interesting.....

..... Do you have any other add-ons, skins, template edits, 3rd party products, or other customizations outside of the standard XenForo install?

If so, I would be interested in what they are.

What kind of setup do you have? ... ie ... Shared web host, vps, or dedicated? Who is your host (if you do not mind saying)?

This would be the 1st time someone has been able to script eject (sounds like what was done) into XenForo directly. You may have discovered the 1st security flaw (not through a 3rd party) and I'd like to confirm or not.
 

Chris D

XenForo developer
Staff member
#3
Hmm, that's concerning.

Stuff like this worries me somewhat.

I once worked somewhere that used a customised version of MojoPortal for its website. We paid for a penetration test and alarmingly through information passed in HTTP Headers and POST requests, they were able to write a perl script that was able to create a new user... as an admin. o_O

I fell off my chair when I found out.

Luckily for MojoPortal it was a vulnerability the web developer's modifications rather than the core files... but yeah, it is worrying.
 

faeronsayn

Well-known member
#4
Hmm, that's concerning.

Stuff like this worries me somewhat.

I once worked somewhere that used a customised version of MojoPortal for its website. We paid for a penetration test and alarmingly through information passed in HTTP Headers and POST requests, they were able to write a perl script that was able to create a new user... as an admin. o_O

I fell off my chair when I found out.

Luckily for MojoPortal it was a vulnerability the web developer's modifications rather than the core files... but yeah, it is worrying.
it definitely is, its good to see that the member reported it after he tested the exploit, so hopefully this could be fixed some how.
 

Adam Howard

Well-known member
#9
I have quite a bit of add-ons setup. I am running on a VPS server, but I am sure that is quite secure.
Do you mind sharing the list of add-ons that you have installed?

I have not yet tried doing this myself on a test site, but if I can not do it alone with only XenForo ... That would mean it is an add-on issue and that developer would need to be made aware of the issue.

You could help us all very greatly if you could please tell us what is installed.
 

faeronsayn

Well-known member
#10
Do you mind sharing the list of add-ons that you have installed?

I have not yet tried doing this myself on a test site, but if I can not do it alone with only XenForo ... That would mean it is an add-on issue and that developer would need to be made aware of the issue.

You could help us all very greatly if you could please tell us what is installed.
Code:
Add User Avatar to Last Post by Waindigo 1.0.5

AzuCloud 0.1.2

CCPLZ Hide Links From Guests 1.0.0

Custom BBCode Manager v1.2.1

DaTheme Advanced Styling Rules 1.0.2

Display Staff Members 1.1.2

ForumRunner for XenForo 1.1.0

Hide Ip of Super Admin 1.0

No Proxy Allowed 1.0

Online Status 1.1

ragtek First Post Moderated 1.0.0

ragtek [Planet Liebe] Automatic URL Aliases - Automatic URL conversion 1.2.3

Simple Sitemap 1.02

sonnb - Bulk impoter for smilies management 1.0.3

sonnb - Profanity Filter 1.0.2

TaigaChat 0.5.5

Tapatalk 1.1.3

Template Modification System 1.2

The Happy Place 3.0.0

Top Users 1.1.2

****** - Advanced Forum Statistics 1.2.0

XenQuotation 0.2.3

XenTrader 2.1.1

XF Arcade 0.0.8

XFA - Previous and Next thread link 1.0.0

[8wayRun.Com] XenPorta (Portal) 1.5.1

[bd] Banking 0.9.9.1

[bd] Forum Watch 0.9.6

[bd] Tag Me 1.5.5

[Ice] Shop 1.0.0

[******] Custom Node Icon 0.9

[xfr] Merge Double User Post 1.2.0
 

Jake Bunce

XenForo moderator
Staff member
#12
Has anyone here been able to reproduce the problem themselves? I have been unable to reproduce it.

The message length check is in the datawriter which is used by the saveinline action in the post controller. I examined all of the relevant code and I don't see any way to get around the check.
 

sonnb

Well-known member
#13
Has anyone here been able to reproduce the problem themselves? I have been unable to reproduce it.

The message length check is in the datawriter which is used by the saveinline action in the post controller. I examined all of the relevant code and I don't see any way to get around the check.
Yep, you are right. It was from DataWrite DiscussionMessage.
 

faeronsayn

Well-known member
#14
So I messaged him and told him to do it right in the conversation. Look at the scroll bar, you can see that the message is simply huge.

Proof.PNG
 
#18
I always wonder why these threads stay public as it simply opens up the possibility that good hackers will now have a starting point that they may have never discovered. Perhaps this should be made private?
 

Biker

Well-known member
#19
I always wonder why these threads stay public as it simply opens up the possibility that good hackers will now have a starting point that they may have never discovered. Perhaps this should be made private?
Why? There was no issue or bug discovered. Did you even read the entire thread?
 

Chris D

XenForo developer
Staff member
#20
I always wonder why these threads stay public as it simply opens up the possibility that good hackers will now have a starting point that they may have never discovered. Perhaps this should be made private?
There have been several reports of security issues that were posted in public that were then quickly removed so they could be dealt with more sensitively. This doesn't need to be one of them.