XSS leak in posts?

RallyFan

RallyFan

Well-known member
Hi all,

I found this thread (https://xenforo.com/community/threa...details-may-be-in-the-browser-console.191431/) from @Brogan a while ago, which details the issue I am having.

When certain words are typed on the forum (that being HTML/ DOM EVENTS) rather than Xenforo simply seeing them as words, it sees them as a command and tries to activate them.

In my case a server side firewall is picking up the issue and blocking it as an "XSS Cross Scripting in POST body" error, HOWEVER it shouldn't be happening to begin with (text parsing to another layer).

@Mike Is this a security bug I've inadvertedly stumbled upon? If not I'm scratching my head as to why it would be trying to do it. If I disable the server side firewall it works fine, however that leaves the Wordpress frontend completely exposed.

Thanks to anyone who can help on this one.

Cheers.
 
Solution
Mike
Security systems like the kind you're talking about are basically just rule/pattern matching. They look for patterns that could represent an attempt to create an XSS. They are completely unaware of the application they're in front of. As such, they will block various totally valid strings.

Essentially, if you're running into false positives, you would need to figure out the rules you're hitting and the context where you want to skip checking them. I don't know what control you'd have over it, but you might be able to tweak based on a URL pattern or the name of the input.
Sort by date Sort by votes
Security systems like the kind you're talking about are basically just rule/pattern matching. They look for patterns that could represent an attempt to create an XSS. They are completely unaware of the application they're in front of. As such, they will block various totally valid strings.

Essentially, if you're running into false positives, you would need to figure out the rules you're hitting and the context where you want to skip checking them. I don't know what control you'd have over it, but you might be able to tweak based on a URL pattern or the name of the input.
 
Upvote 1 Downvote
Solution
Hmm so it's just seen a text string that it believes "may" be dodgy, and triggered a rule based on that?

Much like if the word was "placemat", and a trigger was setup for a command "placemat".

Sounds like the issue then is most likely with an update from the firewall plugin (which I can create exceptions for, but not sure to what depth).

It's only been reported by a user recently, and that was when making a typo "onpause" instead of "on pause".

Was just a bit concerned for a moment as I thought "uh oh don't tell me I have a gaping security hole somewhere".
 
Upvote 0 Downvote
You must log in or register to reply here.

Similar threads

A
  • Question Question
XF 2.3 How to add text by the date in posts?
Replies
7
Views
71
frm
frm
david.steadson
  • Question Question
MG 2.3 How to insert media gallery images in posts?
Replies
1
Views
28
david.steadson
david.steadson
fork
Server issue Webserver Crash on special Input in Posts
Replies
4
Views
112
Jeremy P
Jeremy P
M
  • Question Question
XF 2.2 File Attachment Problem in Posts
Replies
18
Views
475
Matthew H
M
Mithgol
  • Suggestion Suggestion
hotlinking videos
Replies
1
Views
57
AndyB
AndyB
Back
Top Bottom