XSS leak in posts?

RallyFan

Well-known member
Hi all,

I found this thread (https://xenforo.com/community/threa...details-may-be-in-the-browser-console.191431/) from @Brogan a while ago, which details the issue I am having.

When certain words are typed on the forum (that being HTML/ DOM EVENTS) rather than Xenforo simply seeing them as words, it sees them as a command and tries to activate them.

In my case a server side firewall is picking up the issue and blocking it as an "XSS Cross Scripting in POST body" error, HOWEVER it shouldn't be happening to begin with (text parsing to another layer).

@Mike Is this a security bug I've inadvertedly stumbled upon? If not I'm scratching my head as to why it would be trying to do it. If I disable the server side firewall it works fine, however that leaves the Wordpress frontend completely exposed.

Thanks to anyone who can help on this one.

Cheers.
 
Solution
Security systems like the kind you're talking about are basically just rule/pattern matching. They look for patterns that could represent an attempt to create an XSS. They are completely unaware of the application they're in front of. As such, they will block various totally valid strings.

Essentially, if you're running into false positives, you would need to figure out the rules you're hitting and the context where you want to skip checking them. I don't know what control you'd have over it, but you might be able to tweak based on a URL pattern or the name of the input.

Mike

XenForo developer
Staff member
Security systems like the kind you're talking about are basically just rule/pattern matching. They look for patterns that could represent an attempt to create an XSS. They are completely unaware of the application they're in front of. As such, they will block various totally valid strings.

Essentially, if you're running into false positives, you would need to figure out the rules you're hitting and the context where you want to skip checking them. I don't know what control you'd have over it, but you might be able to tweak based on a URL pattern or the name of the input.
 
Solution

RallyFan

Well-known member
Hmm so it's just seen a text string that it believes "may" be dodgy, and triggered a rule based on that?

Much like if the word was "placemat", and a trigger was setup for a command "placemat".

Sounds like the issue then is most likely with an update from the firewall plugin (which I can create exceptions for, but not sure to what depth).

It's only been reported by a user recently, and that was when making a typo "onpause" instead of "on pause".

Was just a bit concerned for a moment as I thought "uh oh don't tell me I have a gaping security hole somewhere".
 
Top