1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Not a Bug User being able to exceed the Word Count Limit

Discussion in 'Resolved Bug Reports' started by faeronsayn, Jul 22, 2012.

  1. faeronsayn

    faeronsayn Well-Known Member

    One of my users was able to bypass the word count limit or character count limit of like 10 000.

    I later asked him how he did it and this is what he told me



     
    Adam Howard likes this.
  2. Adam Howard

    Adam Howard Well-Known Member

    Interesting.....

    ..... Do you have any other add-ons, skins, template edits, 3rd party products, or other customizations outside of the standard XenForo install?

    If so, I would be interested in what they are.

    What kind of setup do you have? ... ie ... Shared web host, vps, or dedicated? Who is your host (if you do not mind saying)?

    This would be the 1st time someone has been able to script eject (sounds like what was done) into XenForo directly. You may have discovered the 1st security flaw (not through a 3rd party) and I'd like to confirm or not.
     
    faeronsayn likes this.
  3. Chris D

    Chris D XenForo Developer Staff Member

    Hmm, that's concerning.

    Stuff like this worries me somewhat.

    I once worked somewhere that used a customised version of MojoPortal for its website. We paid for a penetration test and alarmingly through information passed in HTTP Headers and POST requests, they were able to write a perl script that was able to create a new user... as an admin. o_O

    I fell off my chair when I found out.

    Luckily for MojoPortal it was a vulnerability the web developer's modifications rather than the core files... but yeah, it is worrying.
     
    Adam Howard and faeronsayn like this.
  4. faeronsayn

    faeronsayn Well-Known Member

    it definitely is, its good to see that the member reported it after he tested the exploit, so hopefully this could be fixed some how.
     
    Adam Howard likes this.
  5. Adam Howard

    Adam Howard Well-Known Member

    Could you please open up a support ticket, referencing this thread?

    Thank you in advance :)
     
  6. x3sphere

    x3sphere Active Member

    In order for this to work it must mean the character count check is entirely JS based, no? I'll have to try it later.
     
  7. faeronsayn

    faeronsayn Well-Known Member

    I have quite a bit of add-ons setup. I am running on a VPS server, but I am sure that is quite secure.
     
  8. faeronsayn

    faeronsayn Well-Known Member

    Any update on this from the developers? It would be appreciated.
     
  9. Adam Howard

    Adam Howard Well-Known Member

    Do you mind sharing the list of add-ons that you have installed?

    I have not yet tried doing this myself on a test site, but if I can not do it alone with only XenForo ... That would mean it is an add-on issue and that developer would need to be made aware of the issue.

    You could help us all very greatly if you could please tell us what is installed.
     
  10. faeronsayn

    faeronsayn Well-Known Member

    Code:
    
    Add User Avatar to Last Post by Waindigo 1.0.5
    
    AzuCloud 0.1.2
    
    CCPLZ Hide Links From Guests 1.0.0
    
    Custom BBCode Manager v1.2.1
    
    DaTheme Advanced Styling Rules 1.0.2
    
    Display Staff Members 1.1.2
    
    ForumRunner for XenForo 1.1.0
    
    Hide Ip of Super Admin 1.0
    
    No Proxy Allowed 1.0
    
    Online Status 1.1
    
    ragtek First Post Moderated 1.0.0
    
    ragtek [Planet Liebe] Automatic URL Aliases - Automatic URL conversion 1.2.3
    
    Simple Sitemap 1.02
    
    sonnb - Bulk impoter for smilies management 1.0.3
    
    sonnb - Profanity Filter 1.0.2
    
    TaigaChat 0.5.5
    
    Tapatalk 1.1.3
    
    Template Modification System 1.2
    
    The Happy Place 3.0.0
    
    Top Users 1.1.2
    
    ****** - Advanced Forum Statistics 1.2.0
    
    XenQuotation 0.2.3
    
    XenTrader 2.1.1
    
    XF Arcade 0.0.8
    
    XFA - Previous and Next thread link 1.0.0
    
    [8wayRun.Com] XenPorta (Portal) 1.5.1
    
    [bd] Banking 0.9.9.1
    
    [bd] Forum Watch 0.9.6
    
    [bd] Tag Me 1.5.5
    
    [Ice] Shop 1.0.0
    
    [******] Custom Node Icon 0.9
    
    [xfr] Merge Double User Post 1.2.0
    
    
     
    Adam Howard likes this.
  11. sonnb

    sonnb Well-Known Member

    I see that XF does not check the length of post when performing this task.
     
  12. Jake Bunce

    Jake Bunce XenForo Moderator Staff Member

    Has anyone here been able to reproduce the problem themselves? I have been unable to reproduce it.

    The message length check is in the datawriter which is used by the saveinline action in the post controller. I examined all of the relevant code and I don't see any way to get around the check.
     
    Adam Howard and sonnb like this.
  13. sonnb

    sonnb Well-Known Member

    Yep, you are right. It was from DataWrite DiscussionMessage.
     
  14. faeronsayn

    faeronsayn Well-Known Member

    So I messaged him and told him to do it right in the conversation. Look at the scroll bar, you can see that the message is simply huge.

    Proof.PNG
     
  15. BamaStangGuy

    BamaStangGuy Well-Known Member

    Well, disable all your add-ons and then try to have him do it.
     
  16. Jake Bunce

    Jake Bunce XenForo Moderator Staff Member

    Longer than the maximum limit you have set?

    Admin CP -> Home -> Options -> Messages -> Maximum Message Length
     
    faeronsayn likes this.
  17. faeronsayn

    faeronsayn Well-Known Member

    Okay maybe that was the problem o.o it was set too high.
     
    Adam Howard likes this.
  18. Whispy

    Whispy New Member

    I always wonder why these threads stay public as it simply opens up the possibility that good hackers will now have a starting point that they may have never discovered. Perhaps this should be made private?
     
  19. Biker

    Biker Well-Known Member

    Why? There was no issue or bug discovered. Did you even read the entire thread?
     
  20. Chris D

    Chris D XenForo Developer Staff Member

    There have been several reports of security issues that were posted in public that were then quickly removed so they could be dealt with more sensitively. This doesn't need to be one of them.
     

Share This Page