security risk

alphawolf

alphawolf

Regular Poster
MBTI
INFJ
I noticed that the forum is configured to allow embedding of youtube video, which is flash. Allowing embedding of flash requires allowing html in posts, which is a serious security hazard. It can open all users on the site to the possibility of cross-site-scripting attacks, meaning that if a user is logged in to another website, then their login cookies for the other site could be stolen via XSS scripts running through this site.


One reference here. Plenty of others are to be found with a quick googling.


http://www.vbulletin.com/forum/showthread.php?t=293146
 
HTML isn't required in the post, to my understanding

PHP: 
[youtube]JFwCCL0Vh6U[/youtube]
^like that
 
Last edited:
I might assume incorrectly, but as far as I know, the videos are enclosed in something like this [YOUTUBE]XzTfyGiL[/YOUTUBE], so therefore theres practically no risk of someone inserting malicious HTML code -- at least not without uber hax.

<style type="text/css">
<!--
.zatest { border: #038 1px solid; background: #014; color: #fc0; font-weight: bold; }
-->
</style>

<div class="zatest">If HTML is processed, then this text should appear in orange text with a navy blue background.</div>

If PHP is interpreted
<?php phpinfo();
print("<br><br>"."Then you would be able to see sensitive server information like which version of PHP and apache were running"); ?>
 
Last edited:
According to http://www.vbulletin.com/forum/showpost.php?p=1211388&postcount=2 , the (youtube)param(/youtube) code gets converted into something like this:

HTML: 
<object width="425" height="350"><param name="movie" value="<A href="http://www.youtube.com/v/{param}"></param><embed">http://www.youtube.com/v/{param}"></param><embed src="http://www.youtube.com/v/{param}" type="application/x-shockwave-flash" width="425" height="350"></embed></object>
Which not have been what you were talking about, although that's less dangerous than inserting HTML directly.

Edit: it looks pretty safe to me. I tried code injection, alt codes, etc. Anything unusual was escaped.
 
Last edited:
No, the virtually unstoppable risk, as I understand it, is that (malicious) action scripts can be executed from within flash.
 
You might be right. It is possible, though highly unlikely for a youtube video to contain a malicious flash command, however I have faith in youtube's video filtering system since I haven't heard of anyone being hit by a malicious command yet. As well, I have antivirus protection, like I should have. It's generally understood that if you go anywhere on the web you need decent protection of your own (antivirus software, firewall or router, a secure browser, etc).
 
Zero Angel said:
You might be right. It is possible, though highly unlikely for a youtube video to contain a malicious flash command, however I have faith in youtube's video filtering system since I haven't heard of anyone being hit by a malicious command yet. As well, I have antivirus protection, like I should have. It's generally understood that if you go anywhere on the web you need decent protection of your own (antivirus software, firewall or router, a secure browser, etc).
Click to expand...
I've been hit twice off youtube with malicious code off one video (it took the second time to make the connection). Just avoid Enya's "Carribean Blue" on youtube.

p.s. at least, I'm assuming it was this, both cases happened immediately after watching the video, but I don't have any actual proof that it was this video. Also, when I say avoid it I MEAN IT, the second time, in order to get rid of the virus, I had to format my hard drive.
 
That's a tough security issue to address then, and likely beyond the scope of the forums. If embedded flash is disabled, then people will just post links to youtube etc - and the browser is still susceptible to attack.

EDIT: How does malicious flash work? Does it attack the browser? The OS? Are certain platforms immune?
 
Last edited:
Milon said:
That's a tough security issue to address then, and likely beyond the scope of the forums. If embedded flash is disabled, then people will just post links to youtube etc - and the browser is still susceptible to attack.

EDIT: How does malicious flash work? Does it attack the browser? The OS? Are certain platforms immune?
Click to expand...


Imagine this:

Admin is logged in to forum and admin control panel.

Malicious flash executes from a forum post.

Admin's control panel cookies are stolen.

Attacker gains access to control panel. Use your imagination from this point...
 
alphawolf said:
Imagine this:

Admin is logged in to forum and admin control panel.

Malicious flash executes from a forum post.

Admin's control panel cookies are stolen.

Attacker gains access to control panel. Use your imagination from this point...
Click to expand...

Ok, I will use my imagination. I'm kinda good at that. Maybe you would like to talk with Ambrosia about this?
http://www.pandorabots.com/botmaster/en/summary?botid=e8d6db6a7e36950b

O, if that didn't work, try this? http://www.pandorabots.com/pandora/talk?botid=e8d6db6a7e36950b
 
Last edited:
Oh, so flash attacks are just cookie swipes? That's simple, but effective!
 
moving to Computer Science as the disscussion is more relevent there.

i took these things into consideration when enabling this feature, if i disable the bbcode for youtube, then they will just post the youtube link, if i disable youtube links, then they can just wrap the link with something like tinyurl.

i'd have have to make a whitelist for links.
 
alphawolf said:
No, the virtually unstoppable risk, as I understand it, is that (malicious) action scripts can be executed from within flash.
Click to expand...

No, it's safe and here is why:

laofmoonster said:
According to http://www.vbulletin.com/forum/showpost.php?p=1211388&postcount=2 , the (youtube)param(/youtube) code gets converted into something like this:

HTML: 
<object width="425" height="350"><param name="movie" value="<A href="http://www.youtube.com/v/{param}"></param><embed">http://www.youtube.com/v/{param}"></param><embed src="http://www.youtube.com/v/{param}" type="application/x-shockwave-flash" width="425" height="350"></embed></object>
Which not have been what you were talking about, although that's less dangerous than inserting HTML directly.

Edit: it looks pretty safe to me. I tried code injection, alt codes, etc. Anything unusual was escaped.
Click to expand...

If implemented the way described here, you can't link to anything other than what's on YouTube. When you use the YouTube tag on a forum post, it just plugs the video's unique identifier into the {param} spot of the template shown above.
 
You must log in or register to reply here.
Back
Top