INTERACT FORUM

More => Old Versions => Media Center 12 (Development Ended) => Topic started by: BartMan01 on May 05, 2008, 09:59:59 am

Title: Forum Issue: Cross Site Scripting Issues
Post by: BartMan01 on May 05, 2008, 09:59:59 am

Using FireFox with NoScript I get cross-site scripting (http://en.wikipedia.org/wiki/Cross-site_scripting) warnings when using the Interact Forum with scripting enabled for the site.

Here is an example:

Quote

[NoScript XSS] Sanitized suspicious request. Original URL [http://digg.com/tools/diggthis.php?u=http%3A//yabb.jriver.com/interact/index.php%3Ftopic%3D46456&t=Smartlist%20Improvements%20in%20491%20%28and%20later%29&w=new&b=In%20MC%2012.0.491%20you%20will%20be%20able%20to%20group%20rules%20to%20be%20OR%26%23039%3Bd%20and%20AND%26%23039%3Bd%20together%20simply%20by%20encasing%20them%20in%20brackets%20%28%26%23039%3B%28%20%29%26%23039%3B%20to%20OR%20them%20and%20%26%23039%3B%5B%20%5D%26%23039%3B%20to%20AND%20them%29%20so%20that...%3Cbr%20/%3E%3Cbr%20/%3E%28%20Rule%201%3Cbr%20/%3E%26nbsp%3B%20Rule%202%20%29%20%3D%20%28Rule%201%20OR%20Rule%202%29%3Cbr%20/%3E%3Cbr%20/%3E%28%20Rule%201%3Cbr%20/%3E%5B%20Rule%202%3Cbr%20/%3E%26nbsp%3B%20Rule%203%20%5D%3Cbr%20/%3E%26nbsp%3B%20Rule%204%20%29%20%3D%20%28Rule%201%20OR%20%28Rule%202%20AND%20Rule%203%29%20OR%20Rule%204%29%3Cbr%20/%3E%3Cbr%20/%3EFor%20example...%3Cbr%20/%3E%3Cbr%20/%3E%3Cimg%20src%3D%22http%3A//www.pix01.com/gallery/DC3F715F-8535-45C8-9257-9BA21870CC2C/SmartlistDlg_Enhancement/3801117400.jpg%22%20alt%3D%22%22%20border%3D%220%22%20/%3E%3Cbr%20/%3E%3Cbr%20/%3Ebecomes...%3Cbr%20/%3E%3Cbr%20/%3E%3Cimg%20src%3D%22http%3A//www.pix01.com/gallery/DC3F715F-8535-45C8-9257-9BA21870CC2C/SmartlistDlg_Enhancement/3801117401.jpg%22%20alt%3D%22%22%20border%3D%220%22%20/%3E&c=software&k=%23f8f8f8&s=compact] requested from [http://yabb.jriver.com/interact/index.php?topic=46456.0]. Sanitized URL: [http://digg.com/tools/diggthis.php?u=http%3A%2F%2Fyabb.jriver.com%2Finteract%2Findex.php%3Ftopic%3D46456&t=Smartlist%20Improvements%20in%20491%20%20and%20later%20&w=new&b=In%20MC%2012.0.491%20you%20will%20be%20able%20to%20group%20rules%20to%20be%20OR%20d%20and%20AND%20d%20together%20simply%20by%20encasing%20them%20in%20brackets%20%20%20%20%20%20%20%20to%20OR%20them%20and%20%20%20%20%20%20%20to%20AND%20them%20%20so%20that...%20br%20%2F%3E%20br%20%2F%3E%20%20Rule%201%20br%20%2F%3E%C2%A0%20Rule%202%20%20%20%20%20%20Rule%201%20OR%20Rule%202%20%20br%20%2F%3E%20br%20%2F%3E%20%20Rule%201%20br%20%2F%3E%20%20Rule%202%20br%20%2F%3E%C2%A0%20Rule%203%20%20%20br%20%2F%3E%C2%A0%20Rule%204%20%20%20%20%20%20Rule%201%20OR%20%20Rule%202%20AND%20Rule%203%20%20OR%20Rule%204%20%20br%20%2F%3E%20br%20%2F%3EFor%20example...%20br%20%2F%3E%20br%20%2F%3E%20img%20src%20%20http%3A%2F%2Fwww.pix01.com%2Fgallery%2FDC3F715F-8535-45C8-9257-9BA21870CC2C%2FSmartlistDlg_Enhancement%2F3801117400.jpg%20%20alt%20%20%20%20border%20%200%20%20%2F%3E%20br%20%2F%3E%20br%20%2F%3Ebecomes...%20br%20%2F%3E%20br%20%2F%3E%20img%20src%20%20http%3A%2F%2Fwww.pix01.com%2Fgallery%2FDC3F715F-8535-45C8-9257-9BA21870CC2C%2FSmartlistDlg_Enhancement%2F3801117401.jpg%20%20alt%20%20%20%20border%20%200%20%20%2F%3E&c=software&k=%23f8f8f8&s=compact#017405088601938012123].

Title: Re: Forum Issue: Cross Site Scripting Issues
Post by: JimH on May 05, 2008, 10:18:33 am

It's just digg.com.  Try a google search.

Title: Re: Forum Issue: Cross Site Scripting Issues
Post by: BartMan01 on May 07, 2008, 01:24:30 pm

I know what digg is, but XSS is a common (and becoming a preferred) vector for malicious attack and is blocked by things like no-script.  Not sure what you are trying to accomplish with it, just letting you know that the method you are using is getting blocked even with scripting enabled for your site.