XSS leak in posts?

RallyFan

RallyFan

Well-known member
Hi all,

I found this thread (https://xenforo.com/community/threa...details-may-be-in-the-browser-console.191431/) from @Brogan a while ago, which details the issue I am having.

When certain words are typed on the forum (that being HTML/ DOM EVENTS) rather than Xenforo simply seeing them as words, it sees them as a command and tries to activate them.

In my case a server side firewall is picking up the issue and blocking it as an "XSS Cross Scripting in POST body" error, HOWEVER it shouldn't be happening to begin with (text parsing to another layer).

@Mike Is this a security bug I've inadvertedly stumbled upon? If not I'm scratching my head as to why it would be trying to do it. If I disable the server side firewall it works fine, however that leaves the Wordpress frontend completely exposed.

Thanks to anyone who can help on this one.

Cheers.
 
Solution
Mike
Security systems like the kind you're talking about are basically just rule/pattern matching. They look for patterns that could represent an attempt to create an XSS. They are completely unaware of the application they're in front of. As such, they will block various totally valid strings.

Essentially, if you're running into false positives, you would need to figure out the rules you're hitting and the context where you want to skip checking them. I don't know what control you'd have over it, but you might be able to tweak based on a URL pattern or the name of the input.
Sort by date Sort by votes
Security systems like the kind you're talking about are basically just rule/pattern matching. They look for patterns that could represent an attempt to create an XSS. They are completely unaware of the application they're in front of. As such, they will block various totally valid strings.

Essentially, if you're running into false positives, you would need to figure out the rules you're hitting and the context where you want to skip checking them. I don't know what control you'd have over it, but you might be able to tweak based on a URL pattern or the name of the input.
 
Upvote 1 Downvote
Solution
Hmm so it's just seen a text string that it believes "may" be dodgy, and triggered a rule based on that?

Much like if the word was "placemat", and a trigger was setup for a command "placemat".

Sounds like the issue then is most likely with an update from the firewall plugin (which I can create exceptions for, but not sure to what depth).

It's only been reported by a user recently, and that was when making a typo "onpause" instead of "on pause".

Was just a bit concerned for a moment as I thought "uh oh don't tell me I have a gaping security hole somewhere".
 
Upvote 0 Downvote
You must log in or register to reply here.

Similar threads

_Al
  • Question Question
mod-security rules - where do I go from here?
Replies
9
Views
806
_Al
_Al
hibiskus
  • Question Question
Am I under attack? Blind XSS
Replies
1
Views
7K
⭐ Alex ⭐
⭐ Alex ⭐
Codeless
  • Question Question
XF 2.0 Defer parsing of JavaScript Xenforo 2.0
Replies
0
Views
1K
Codeless
Codeless
OakleyForum
  • Question Question
Install Elastic Search on CentOS issue?
Replies
8
Views
2K
OakleyForum
OakleyForum
Top Bottom