Not a bug User being able to exceed the Word Count Limit

[faeronsayn]

One of my users was able to bypass the word count limit or character count limit of like 10 000.

I later asked him how he did it and this is what he told me

I used the firefox addon Live Http headers, to edit the POST request and send it directly to an url like this:
ex:
http://www.domainname.com/posts/151537/save-inline

and this is the POST request when you edit a post

message_html=<p> This Is What My Post Will Look Like </p>
&_xfRelativeResolver=http://www.domainname.com/threads/t...2535f4533944ce01f41d81d5&_xfResponseType=json

each post has the "save-inline" thing for editing it, so I edited mine to send a message bigger than allowed and sent the POST request directly to it, try finding out which file it uses to do the "save-inline" function and editing it so it checks the "message_html" size.

 

[Adam Howard]

Interesting.....

..... Do you have any other add-ons, skins, template edits, 3rd party products, or other customizations outside of the standard XenForo install?

If so, I would be interested in what they are.

What kind of setup do you have? ... ie ... Shared web host, vps, or dedicated? Who is your host (if you do not mind saying)?

This would be the 1st time someone has been able to script eject (sounds like what was done) into XenForo directly. You may have discovered the 1st security flaw (not through a 3rd party) and I'd like to confirm or not.

 

[Chris D]

Hmm, that's concerning.

Stuff like this worries me somewhat.

I once worked somewhere that used a customised version of MojoPortal for its website. We paid for a penetration test and alarmingly through information passed in HTTP Headers and POST requests, they were able to write a perl script that was able to create a new user... as an admin.

I fell off my chair when I found out.

Luckily for MojoPortal it was a vulnerability the web developer's modifications rather than the core files... but yeah, it is worrying.

 

[faeronsayn]

Hmm, that's concerning.

Stuff like this worries me somewhat.

I once worked somewhere that used a customised version of MojoPortal for its website. We paid for a penetration test and alarmingly through information passed in HTTP Headers and POST requests, they were able to write a perl script that was able to create a new user... as an admin.

I fell off my chair when I found out.

Luckily for MojoPortal it was a vulnerability the web developer's modifications rather than the core files... but yeah, it is worrying.

it definitely is, its good to see that the member reported it after he tested the exploit, so hopefully this could be fixed some how.

 

[Adam Howard]

it definitely is, its good to see that the member reported it after he tested the exploit, so hopefully this could be fixed some how.

Could you please open up a support ticket, referencing this thread?

Thank you in advance

 

[x3sphere]

In order for this to work it must mean the character count check is entirely JS based, no? I'll have to try it later.

 

[faeronsayn]

I have quite a bit of add-ons setup. I am running on a VPS server, but I am sure that is quite secure.

 

[faeronsayn]

Any update on this from the developers? It would be appreciated.

 

[Adam Howard]

I have quite a bit of add-ons setup. I am running on a VPS server, but I am sure that is quite secure.

Do you mind sharing the list of add-ons that you have installed?

I have not yet tried doing this myself on a test site, but if I can not do it alone with only XenForo ... That would mean it is an add-on issue and that developer would need to be made aware of the issue.

You could help us all very greatly if you could please tell us what is installed.

 

[faeronsayn]

Do you mind sharing the list of add-ons that you have installed?

I have not yet tried doing this myself on a test site, but if I can not do it alone with only XenForo ... That would mean it is an add-on issue and that developer would need to be made aware of the issue.

You could help us all very greatly if you could please tell us what is installed.

Add User Avatar to Last Post by Waindigo 1.0.5

AzuCloud 0.1.2

CCPLZ Hide Links From Guests 1.0.0

Custom BBCode Manager v1.2.1

DaTheme Advanced Styling Rules 1.0.2

Display Staff Members 1.1.2

ForumRunner for XenForo 1.1.0

Hide Ip of Super Admin 1.0

No Proxy Allowed 1.0

Online Status 1.1

ragtek First Post Moderated 1.0.0

ragtek [Planet Liebe] Automatic URL Aliases - Automatic URL conversion 1.2.3

Simple Sitemap 1.02

sonnb - Bulk impoter for smilies management 1.0.3

sonnb - Profanity Filter 1.0.2

TaigaChat 0.5.5

Tapatalk 1.1.3

Template Modification System 1.2

The Happy Place 3.0.0

Top Users 1.1.2

****** - Advanced Forum Statistics 1.2.0

XenQuotation 0.2.3

XenTrader 2.1.1

XF Arcade 0.0.8

XFA - Previous and Next thread link 1.0.0

[8wayRun.Com] XenPorta (Portal) 1.5.1

[bd] Banking 0.9.9.1

[bd] Forum Watch 0.9.6

[bd] Tag Me 1.5.5

[Ice] Shop 1.0.0

[******] Custom Node Icon 0.9

[xfr] Merge Double User Post 1.2.0

 

[sonnb]

I see that XF does not check the length of post when performing this task.

 

[Jake Bunce]

Has anyone here been able to reproduce the problem themselves? I have been unable to reproduce it.

The message length check is in the datawriter which is used by the saveinline action in the post controller. I examined all of the relevant code and I don't see any way to get around the check.

 

[sonnb]

Has anyone here been able to reproduce the problem themselves? I have been unable to reproduce it.

The message length check is in the datawriter which is used by the saveinline action in the post controller. I examined all of the relevant code and I don't see any way to get around the check.

Yep, you are right. It was from DataWrite DiscussionMessage.

 

[faeronsayn]

So I messaged him and told him to do it right in the conversation. Look at the scroll bar, you can see that the message is simply huge.

 

[Brent W]

Well, disable all your add-ons and then try to have him do it.

 

[Jake Bunce]

Look at the scroll bar, you can see that the message is simply huge.

Longer than the maximum limit you have set?

Admin CP -> Home -> Options -> Messages -> Maximum Message Length

 

[faeronsayn]

Longer than the maximum limit you have set?

Admin CP -> Home -> Options -> Messages -> Maximum Message Length

Okay maybe that was the problem o.o it was set too high.

 

[Whispy]

I always wonder why these threads stay public as it simply opens up the possibility that good hackers will now have a starting point that they may have never discovered. Perhaps this should be made private?

 

[Biker]

I always wonder why these threads stay public as it simply opens up the possibility that good hackers will now have a starting point that they may have never discovered. Perhaps this should be made private?

Why? There was no issue or bug discovered. Did you even read the entire thread?

 

[Chris D]

I always wonder why these threads stay public as it simply opens up the possibility that good hackers will now have a starting point that they may have never discovered. Perhaps this should be made private?

There have been several reports of security issues that were posted in public that were then quickly removed so they could be dealt with more sensitively. This doesn't need to be one of them.