security risk | INFJ Forum

security risk

Discussion in 'Computer Science' started by alphawolf, Mar 19, 2009.

Share This Page

Watchers:
This thread is being watched by 1 user.
More threads by alphawolf
  1. alphawolf

    alphawolf Regular Poster

    Joined:
    Mar 11, 2009
    Threads:
    4
    Messages:
    61
    Likes Received:
    9
    Trophy Points:
    0
    MBTI:
    INFJ
    I noticed that the forum is configured to allow embedding of youtube video, which is flash. Allowing embedding of flash requires allowing html in posts, which is a serious security hazard. It can open all users on the site to the possibility of cross-site-scripting attacks, meaning that if a user is logged in to another website, then their login cookies for the other site could be stolen via XSS scripts running through this site.


    One reference here. Plenty of others are to be found with a quick googling.


    http://www.vbulletin.com/forum/showthread.php?t=293146
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. corvidae

    corvidae ohai internets
    Donor

    Joined:
    Dec 23, 2008
    Threads:
    60
    Messages:
    806
    Likes Received:
    53
    Trophy Points:
    0
    MBTI:
    INTJ
    Enneagram:
    ?
    HTML isn't required in the post, to my understanding

    PHP:
    [youtube]JFwCCL0Vh6U[/youtube]
    ^like that
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 corvidae, Mar 19, 2009
    Last edited: Mar 19, 2009
  3. Zero Angel

    Zero Angel Permanent Fixture

    Joined:
    Dec 2, 2008
    Threads:
    19
    Messages:
    958
    Likes Received:
    64
    Trophy Points:
    0
    MBTI:
    INFJ
    Enneagram:
    Possibly 4w5
    I might assume incorrectly, but as far as I know, the videos are enclosed in something like this [YOUTUBE]XzTfyGiL[/YOUTUBE], so therefore theres practically no risk of someone inserting malicious HTML code -- at least not without uber hax.

    <style type="text/css">
    <!--
    .zatest { border: #038 1px solid; background: #014; color: #fc0; font-weight: bold; }
    -->
    </style>

    <div class="zatest">If HTML is processed, then this text should appear in orange text with a navy blue background.</div>

    If PHP is interpreted
    <?php phpinfo();
    print("<br><br>"."Then you would be able to see sensitive server information like which version of PHP and apache were running"); ?>
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #3 Zero Angel, Mar 19, 2009
    Last edited: Mar 19, 2009
  4. corvidae

    corvidae ohai internets
    Donor

    Joined:
    Dec 23, 2008
    Threads:
    60
    Messages:
    806
    Likes Received:
    53
    Trophy Points:
    0
    MBTI:
    INTJ
    Enneagram:
    ?
    According to http://www.vbulletin.com/forum/showpost.php?p=1211388&postcount=2 , the (youtube)param(/youtube) code gets converted into something like this:

    HTML:
    <object width="425" height="350"><param name="movie" value="<A href="http://www.youtube.com/v/{param}"></param><embed">http://www.youtube.com/v/{param}"></param><embed src="http://www.youtube.com/v/{param}" type="application/x-shockwave-flash" width="425" height="350"></embed></object>
    Which not have been what you were talking about, although that's less dangerous than inserting HTML directly.

    Edit: it looks pretty safe to me. I tried code injection, alt codes, etc. Anything unusual was escaped.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #4 corvidae, Mar 19, 2009
    Last edited: Mar 19, 2009
  5. OP
    alphawolf

    alphawolf Regular Poster

    Joined:
    Mar 11, 2009
    Threads:
    4
    Messages:
    61
    Likes Received:
    9
    Trophy Points:
    0
    MBTI:
    INFJ
    No, the virtually unstoppable risk, as I understand it, is that (malicious) action scripts can be executed from within flash.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. Zero Angel

    Zero Angel Permanent Fixture

    Joined:
    Dec 2, 2008
    Threads:
    19
    Messages:
    958
    Likes Received:
    64
    Trophy Points:
    0
    MBTI:
    INFJ
    Enneagram:
    Possibly 4w5
    You might be right. It is possible, though highly unlikely for a youtube video to contain a malicious flash command, however I have faith in youtube's video filtering system since I haven't heard of anyone being hit by a malicious command yet. As well, I have antivirus protection, like I should have. It's generally understood that if you go anywhere on the web you need decent protection of your own (antivirus software, firewall or router, a secure browser, etc).
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. NaeturVindur

    NaeturVindur Cuddlemaster
    Retired Staff

    Joined:
    Nov 17, 2008
    Threads:
    86
    Messages:
    3,686
    Likes Received:
    265
    Trophy Points:
    641
    MBTI:
    iNfj
    Enneagram:
    9w1
    I've been hit twice off youtube with malicious code off one video (it took the second time to make the connection). Just avoid Enya's "Carribean Blue" on youtube.

    p.s. at least, I'm assuming it was this, both cases happened immediately after watching the video, but I don't have any actual proof that it was this video. Also, when I say avoid it I MEAN IT, the second time, in order to get rid of the virus, I had to format my hard drive.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. Milon

    Milon Director of Glomps
    Donor

    Joined:
    Feb 9, 2009
    Threads:
    13
    Messages:
    1,551
    Likes Received:
    81
    Trophy Points:
    0
    MBTI:
    INFJ!
    Enneagram:
    6w5 SO
    That's a tough security issue to address then, and likely beyond the scope of the forums. If embedded flash is disabled, then people will just post links to youtube etc - and the browser is still susceptible to attack.

    EDIT: How does malicious flash work? Does it attack the browser? The OS? Are certain platforms immune?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #8 Milon, Mar 20, 2009
    Last edited: Mar 20, 2009
  9. OP
    alphawolf

    alphawolf Regular Poster

    Joined:
    Mar 11, 2009
    Threads:
    4
    Messages:
    61
    Likes Received:
    9
    Trophy Points:
    0
    MBTI:
    INFJ

    Imagine this:

    Admin is logged in to forum and admin control panel.

    Malicious flash executes from a forum post.

    Admin's control panel cookies are stolen.

    Attacker gains access to control panel. Use your imagination from this point...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. mayflow

    Banned

    Joined:
    May 26, 2008
    Threads:
    71
    Messages:
    783
    Likes Received:
    16
    Trophy Points:
    0
    MBTI:
    INFP
    Ok, I will use my imagination. I'm kinda good at that. Maybe you would like to talk with Ambrosia about this?
    http://www.pandorabots.com/botmaster/en/summary?botid=e8d6db6a7e36950b

    O, if that didn't work, try this? http://www.pandorabots.com/pandora/talk?botid=e8d6db6a7e36950b
     
    #10 mayflow, Mar 20, 2009
    Last edited: Mar 20, 2009
  11. Milon

    Milon Director of Glomps
    Donor

    Joined:
    Feb 9, 2009
    Threads:
    13
    Messages:
    1,551
    Likes Received:
    81
    Trophy Points:
    0
    MBTI:
    INFJ!
    Enneagram:
    6w5 SO
    Oh, so flash attacks are just cookie swipes? That's simple, but effective!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. Deathjam

    Deathjam ooooh
    Staff Member Tech Admin

    Joined:
    Aug 28, 2008
    Threads:
    410
    Messages:
    4,552
    Featured Threads:
    6
    Likes Received:
    1,648
    Trophy Points:
    856
    Gender:
    Male
    Location:
    Yorkshire, UK
    MBTI:
    ENTP
    moving to Computer Science as the disscussion is more relevent there.

    i took these things into consideration when enabling this feature, if i disable the bbcode for youtube, then they will just post the youtube link, if i disable youtube links, then they can just wrap the link with something like tinyurl.

    i'd have have to make a whitelist for links.
     
  13. Phyllotaxis

    Joined:
    Jul 21, 2009
    Threads:
    1
    Messages:
    36
    Likes Received:
    2
    Trophy Points:
    0
    MBTI:
    WGAS
    No, it's safe and here is why:

    If implemented the way described here, you can't link to anything other than what's on YouTube. When you use the YouTube tag on a forum post, it just plugs the video's unique identifier into the {param} spot of the template shown above.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. Timeless

    Timeless Community Member

    Joined:
    Sep 7, 2009
    Threads:
    8
    Messages:
    393
    Likes Received:
    56
    Trophy Points:
    0
    MBTI:
    ENTP
    I'll be damned.

    Captain Morgan?
     

Share This Page