security risk

alphawolf · Mar 19, 2009

I noticed that the forum is configured to allow embedding of youtube video, which is flash. Allowing embedding of flash requires allowing html in posts, which is a serious security hazard. It can open all users on the site to the possibility of cross-site-scripting attacks, meaning that if a user is logged in to another website, then their login cookies for the other site could be stolen via XSS scripts running through this site.

One reference here. Plenty of others are to be found with a quick googling.

http://www.vbulletin.com/forum/showthread.php?t=293146

corvidae · Mar 19, 2009

HTML isn't required in the post, to my understanding

PHP:

[youtube]JFwCCL0Vh6U[/youtube]

^like that

Zero Angel · Mar 19, 2009

I might assume incorrectly, but as far as I know, the videos are enclosed in something like this [YOUTUBE]XzTfyGiL[/YOUTUBE], so therefore theres practically no risk of someone inserting malicious HTML code -- at least not without uber hax.

<style type="text/css">

</style>

<div class="zatest">If HTML is processed, then this text should appear in orange text with a navy blue background.</div>

If PHP is interpreted
<?php phpinfo();
print("<br><br>"."Then you would be able to see sensitive server information like which version of PHP and apache were running"); ?>

corvidae · Mar 19, 2009

According to http://www.vbulletin.com/forum/showpost.php?p=1211388&postcount=2 , the (youtube)param(/youtube) code gets converted into something like this:

HTML:

<object width="425" height="350"><param name="movie" value="<A href="http://www.youtube.com/v/{param}"></param><embed">http://www.youtube.com/v/{param}"></param><embed src="http://www.youtube.com/v/{param}" type="application/x-shockwave-flash" width="425" height="350"></embed></object>

Which not have been what you were talking about, although that's less dangerous than inserting HTML directly.

Edit: it looks pretty safe to me. I tried code injection, alt codes, etc. Anything unusual was escaped.

alphawolf · Mar 19, 2009

No, the virtually unstoppable risk, as I understand it, is that (malicious) action scripts can be executed from within flash.

Zero Angel · Mar 19, 2009

You might be right. It is possible, though highly unlikely for a youtube video to contain a malicious flash command, however I have faith in youtube's video filtering system since I haven't heard of anyone being hit by a malicious command yet. As well, I have antivirus protection, like I should have. It's generally understood that if you go anywhere on the web you need decent protection of your own (antivirus software, firewall or router, a secure browser, etc).

NaeturVindur · Mar 19, 2009

Zero Angel said:
You might be right. It is possible, though highly unlikely for a youtube video to contain a malicious flash command, however I have faith in youtube's video filtering system since I haven't heard of anyone being hit by a malicious command yet. As well, I have antivirus protection, like I should have. It's generally understood that if you go anywhere on the web you need decent protection of your own (antivirus software, firewall or router, a secure browser, etc).

I've been hit twice off youtube with malicious code off one video (it took the second time to make the connection). Just avoid Enya's "Carribean Blue" on youtube.

p.s. at least, I'm assuming it was this, both cases happened immediately after watching the video, but I don't have any actual proof that it was this video. Also, when I say avoid it I MEAN IT, the second time, in order to get rid of the virus, I had to format my hard drive.

Milon · Mar 20, 2009

That's a tough security issue to address then, and likely beyond the scope of the forums. If embedded flash is disabled, then people will just post links to youtube etc - and the browser is still susceptible to attack.

EDIT: How does malicious flash work? Does it attack the browser? The OS? Are certain platforms immune?

alphawolf · Mar 20, 2009

Milon said:
That's a tough security issue to address then, and likely beyond the scope of the forums. If embedded flash is disabled, then people will just post links to youtube etc - and the browser is still susceptible to attack.

EDIT: How does malicious flash work? Does it attack the browser? The OS? Are certain platforms immune?

Imagine this:

Admin is logged in to forum and admin control panel.

Malicious flash executes from a forum post.

Admin's control panel cookies are stolen.

Attacker gains access to control panel. Use your imagination from this point...

mayflow · Mar 20, 2009

alphawolf said:
Imagine this:

Admin is logged in to forum and admin control panel.

Malicious flash executes from a forum post.

Admin's control panel cookies are stolen.

Attacker gains access to control panel. Use your imagination from this point...

Ok, I will use my imagination. I'm kinda good at that. Maybe you would like to talk with Ambrosia about this?
http://www.pandorabots.com/botmaster/en/summary?botid=e8d6db6a7e36950b

O, if that didn't work, try this? http://www.pandorabots.com/pandora/talk?botid=e8d6db6a7e36950b

Milon · Mar 21, 2009

Oh, so flash attacks are just cookie swipes? That's simple, but effective!

Deathjam · Mar 21, 2009

moving to Computer Science as the disscussion is more relevent there.

i took these things into consideration when enabling this feature, if i disable the bbcode for youtube, then they will just post the youtube link, if i disable youtube links, then they can just wrap the link with something like tinyurl.

i'd have have to make a whitelist for links.

Phyllotaxis · Jul 27, 2009

alphawolf said:
No, the virtually unstoppable risk, as I understand it, is that (malicious) action scripts can be executed from within flash.

No, it's safe and here is why:

laofmoonster said:
According to http://www.vbulletin.com/forum/showpost.php?p=1211388&postcount=2 , the (youtube)param(/youtube) code gets converted into something like this:

HTML:

<object width="425" height="350"><param name="movie" value="<A href="http://www.youtube.com/v/{param}"></param><embed">http://www.youtube.com/v/{param}"></param><embed src="http://www.youtube.com/v/{param}" type="application/x-shockwave-flash" width="425" height="350"></embed></object>

Which not have been what you were talking about, although that's less dangerous than inserting HTML directly.

Edit: it looks pretty safe to me. I tried code injection, alt codes, etc. Anything unusual was escaped.

If implemented the way described here, you can't link to anything other than what's on YouTube. When you use the YouTube tag on a forum post, it just plugs the video's unique identifier into the {param} spot of the template shown above.

Timeless · Sep 7, 2009

I'll be damned.

Captain Morgan?

Search

Search

security risk

alphawolf

Regular Poster

corvidae

ohai internets

Zero Angel

Permanent Fixture

corvidae

ohai internets

alphawolf

Regular Poster

Zero Angel

Permanent Fixture

NaeturVindur

Cuddlemaster

Milon

Director of Glomps

alphawolf

Regular Poster

mayflow

Milon

Director of Glomps

Deathjam

Busy poking things

Phyllotaxis

Newbie

Timeless

Community Member