INTERACT FORUM

Please login or register.

Login with username, password and session length
Advanced search  
Pages: [1]   Go Down

Author Topic: Forum Issue: Cross Site Scripting Issues  (Read 1163 times)

BartMan01

  • MC Beta Team
  • Citizen of the Universe
  • *****
  • Posts: 1513
Forum Issue: Cross Site Scripting Issues
« on: May 05, 2008, 09:59:59 am »

Using FireFox with NoScript I get cross-site scripting warnings when using the Interact Forum with scripting enabled for the site.

Here is an example:
Quote
[NoScript XSS] Sanitized suspicious request. Original URL [http://digg.com/tools/diggthis.php?u=http%3A//yabb.jriver.com/interact/index.php%3Ftopic%3D46456&t=Smartlist%20Improvements%20in%20491%20%28and%20later%29&w=new&b=In%20MC%2012.0.491%20you%20will%20be%20able%20to%20group%20rules%20to%20be%20OR%26%23039%3Bd%20and%20AND%26%23039%3Bd%20together%20simply%20by%20encasing%20them%20in%20brackets%20%28%26%23039%3B%28%20%29%26%23039%3B%20to%20OR%20them%20and%20%26%23039%3B%5B%20%5D%26%23039%3B%20to%20AND%20them%29%20so%20that...%3Cbr%20/%3E%3Cbr%20/%3E%28%20Rule%201%3Cbr%20/%3E%26nbsp%3B%20Rule%202%20%29%20%3D%20%28Rule%201%20OR%20Rule%202%29%3Cbr%20/%3E%3Cbr%20/%3E%28%20Rule%201%3Cbr%20/%3E%5B%20Rule%202%3Cbr%20/%3E%26nbsp%3B%20Rule%203%20%5D%3Cbr%20/%3E%26nbsp%3B%20Rule%204%20%29%20%3D%20%28Rule%201%20OR%20%28Rule%202%20AND%20Rule%203%29%20OR%20Rule%204%29%3Cbr%20/%3E%3Cbr%20/%3EFor%20example...%3Cbr%20/%3E%3Cbr%20/%3E%3Cimg%20src%3D%22http%3A//www.pix01.com/gallery/DC3F715F-8535-45C8-9257-9BA21870CC2C/SmartlistDlg_Enhancement/3801117400.jpg%22%20alt%3D%22%22%20border%3D%220%22%20/%3E%3Cbr%20/%3E%3Cbr%20/%3Ebecomes...%3Cbr%20/%3E%3Cbr%20/%3E%3Cimg%20src%3D%22http%3A//www.pix01.com/gallery/DC3F715F-8535-45C8-9257-9BA21870CC2C/SmartlistDlg_Enhancement/3801117401.jpg%22%20alt%3D%22%22%20border%3D%220%22%20/%3E&c=software&k=%23f8f8f8&s=compact] requested from [http://yabb.jriver.com/interact/index.php?topic=46456.0]. Sanitized URL: [http://digg.com/tools/diggthis.php?u=http%3A%2F%2Fyabb.jriver.com%2Finteract%2Findex.php%3Ftopic%3D46456&t=Smartlist%20Improvements%20in%20491%20%20and%20later%20&w=new&b=In%20MC%2012.0.491%20you%20will%20be%20able%20to%20group%20rules%20to%20be%20OR%20d%20and%20AND%20d%20together%20simply%20by%20encasing%20them%20in%20brackets%20%20%20%20%20%20%20%20to%20OR%20them%20and%20%20%20%20%20%20%20to%20AND%20them%20%20so%20that...%20br%20%2F%3E%20br%20%2F%3E%20%20Rule%201%20br%20%2F%3E%C2%A0%20Rule%202%20%20%20%20%20%20Rule%201%20OR%20Rule%202%20%20br%20%2F%3E%20br%20%2F%3E%20%20Rule%201%20br%20%2F%3E%20%20Rule%202%20br%20%2F%3E%C2%A0%20Rule%203%20%20%20br%20%2F%3E%C2%A0%20Rule%204%20%20%20%20%20%20Rule%201%20OR%20%20Rule%202%20AND%20Rule%203%20%20OR%20Rule%204%20%20br%20%2F%3E%20br%20%2F%3EFor%20example...%20br%20%2F%3E%20br%20%2F%3E%20img%20src%20%20http%3A%2F%2Fwww.pix01.com%2Fgallery%2FDC3F715F-8535-45C8-9257-9BA21870CC2C%2FSmartlistDlg_Enhancement%2F3801117400.jpg%20%20alt%20%20%20%20border%20%200%20%20%2F%3E%20br%20%2F%3E%20br%20%2F%3Ebecomes...%20br%20%2F%3E%20br%20%2F%3E%20img%20src%20%20http%3A%2F%2Fwww.pix01.com%2Fgallery%2FDC3F715F-8535-45C8-9257-9BA21870CC2C%2FSmartlistDlg_Enhancement%2F3801117401.jpg%20%20alt%20%20%20%20border%20%200%20%20%2F%3E&c=software&k=%23f8f8f8&s=compact#017405088601938012123].
Logged

JimH

  • Administrator
  • Citizen of the Universe
  • *****
  • Posts: 72379
  • Where did I put my teeth?
Re: Forum Issue: Cross Site Scripting Issues
« Reply #1 on: May 05, 2008, 10:18:33 am »

It's just digg.com.  Try a google search.
Logged

BartMan01

  • MC Beta Team
  • Citizen of the Universe
  • *****
  • Posts: 1513
Re: Forum Issue: Cross Site Scripting Issues
« Reply #2 on: May 07, 2008, 01:24:30 pm »

I know what digg is, but XSS is a common (and becoming a preferred) vector for malicious attack and is blocked by things like no-script.  Not sure what you are trying to accomplish with it, just letting you know that the method you are using is getting blocked even with scripting enabled for your site.
Logged
Pages: [1]   Go Up