Nareed
Nareed
  • Threads: 373
  • Posts: 11413
Joined: Nov 11, 2009
October 26th, 2012 at 7:05:50 AM permalink
If you use an apostrophe in a PM title, then when the recipeient replies, the title gets cut to the letter before the apostrophe. For example, if I title a PM "Here's the thing", the reply will say "RE: Here"
Donald Trump is a fucking criminal
MangoJ
MangoJ
  • Threads: 10
  • Posts: 905
Joined: Mar 12, 2011
October 26th, 2012 at 11:20:14 AM permalink
Not sure, but this smells like a code injection risk. If anything after the apostroph does not make into the database field, it might be confused with a legal database command.
AcesAndEights
AcesAndEights
  • Threads: 67
  • Posts: 4300
Joined: Jan 5, 2012
October 26th, 2012 at 11:39:49 AM permalink
Oh little Bobby Tables....
"So drink gamble eat f***, because one day you will be dust." -ontariodealer
MonkeyMonkey
MonkeyMonkey
  • Threads: 13
  • Posts: 770
Joined: May 1, 2012
October 26th, 2012 at 1:56:21 PM permalink
Quote: Nareed

If you use an apostrophe in a PM title, then when the recipeient replies, the title gets cut to the letter before the apostrophe. For example, if I title a PM "Here's the thing", the reply will say "RE: Here"



The others are right. It's because the PM's (like all the messages here) are stored in a database, and when inserting data in a MySQL database (as is in use here) you separate the bits you want inserted with single tick apostrophes. So, if one of those characters appears in the bit you want inserted the database thinks that's the end of that bit. There are ways around it of course, you* can "escape" the offending characters, which basically strips them of any special meaning.

On the bright side DT doesn't have that problem so if the person you want to PM is over there you can use that system and if JB did it over there I'm sure he can apply it here, so maybe it's just a matter of bring it to his attention.

*By "you" I meant the programmer, but you might even be able to do it, I'm not sure how JB is sanitizing his input. If you'd like to try, make your PM title "Here/'s the thing." and see if that works for you.
Nareed
Nareed
  • Threads: 373
  • Posts: 11413
Joined: Nov 11, 2009
October 26th, 2012 at 2:22:30 PM permalink
Quote: MonkeyMonkey

If you'd like to try, make your PM title "Here/'s the thing." and see if that works for you.



That/s 'so r:idi;icu}l[o&uÑs!
Donald Trump is a fucking criminal
JB
Administrator
JB
  • Threads: 334
  • Posts: 2089
Joined: Oct 14, 2009
October 26th, 2012 at 2:32:00 PM permalink
The system definitely sanitizes all input before inserting anything into the database, but it does seem to be related to that since it's an apostrophe. I'll look into it.
JB
Administrator
JB
  • Threads: 334
  • Posts: 2089
Joined: Oct 14, 2009
October 26th, 2012 at 2:43:03 PM permalink
Here was the problem: I was using single-quotes (i.e. apostrophes) in the HTML which defined the subject text box's starting value.

In other words, the HTML looked like this:

<input value='Here's an example'>

So the apostrophe in "Here's" terminated the string and the rest was ignored by your browser. It is fixed now, using double-quotes as it should (and double quotes are already escaped, so the same problem will not happen if there is a double-quote in the subject).

So, rest assured that no matter what you put in a text box on this site, I am the only one who will be wiping out 3 years of data in 2 seconds flat.
Nareed
Nareed
  • Threads: 373
  • Posts: 11413
Joined: Nov 11, 2009
October 26th, 2012 at 3:28:09 PM permalink
Thanks!
Donald Trump is a fucking criminal
DJTeddyBear
DJTeddyBear
  • Threads: 210
  • Posts: 11062
Joined: Nov 2, 2009
October 26th, 2012 at 3:33:58 PM permalink
Quote: JB

... I am the only one who will be wiping out 3 years of data in 2 seconds flat.

Hadn't you learned that lesson already?
I invented a few casino games. Info: http://www.DaveMillerGaming.com/ ————————————————————————————————————— Superstitions are silly, childish, irrational rituals, born out of fear of the unknown. But how much does it cost to knock on wood? 😁
MangoJ
MangoJ
  • Threads: 10
  • Posts: 905
Joined: Mar 12, 2011
October 26th, 2012 at 11:50:31 PM permalink
Quote: JB

<input value='Here's an example'>



So it was actually a crosssite scripting vulnerability. If the PM title were something like Title'><script> {evil stuff} </script><input value='Title
the script would have run in the sites browser context, and could have been used to read the password from this site (if it is in a cookie).

The exploit-proof solution of that problem is *not* changing the ' to an " delimiter in the HTML code, it is to properly escape the database plaintext fields to the HTML context when sending it to the client. This way you also get rid of any other attack of this type you didn't checked yet.
JB
Administrator
JB
  • Threads: 334
  • Posts: 2089
Joined: Oct 14, 2009
October 27th, 2012 at 12:03:35 AM permalink
Quote: MangoJ

So it was actually a crosssite scripting vulnerability. If the PM title were something like Title'><script> {evil stuff} </script><input value='Title
the script would have run in the sites browser context, and could have been used to read the password from this site (if it is in a cookie).

The exploit-proof solution of that problem is *not* changing the ' to an " delimiter in the HTML code, it is to properly escape the database plaintext fields to the HTML context when sending it to the client. This way you also get rid of any other attack of this type you didn't checked yet.


First, HTML entities are already escaped, so your example would look like this:

Title'&gt;&lt;script&gt; {evil stuff} &lt;/script&gt;&lt;input value='Title

Second, you are incorrect regarding which quote character to use. Double-quotes in content escape to &quot; whereas single-quotes do not escape at all, therefore using double-quotes to surround escaped content inside a tag is the only correct way to go about it.
  • Jump to: