| |||
Views: 88,494,774 |
Main | FAQ | Uploader | IRC chat | Radio | Memberlist | Active users | Latest posts | Calendar | Stats | Online users | Search | 04-28-24 02:04 AM |
|
Guest: Register | Login |
0 users currently in Help/Suggestions/Bug Reports | 1 guest |
Main - Help/Suggestions/Bug Reports - Post Layouts, Javascript, CSS and IE <7 | New thread | New reply |
lukegb |
| ||
Newcomer Level: 5 Posts: 1/3 EXP: 373 Next: 156 Since: 02-22-10 Last post: 5178 days Last view: 5178 days |
View this post in a version of IE previous to or including 7 (or 8, in compatibility mode) and you'll see what I mean.
Danke. |
blackhole89 |
| ||
The Guardian Moloch whose eyes are a thousand blind windows! Level: 124 Posts: 2907/4196 EXP: 21535740 Next: 300861 Since: 02-19-07 From: Ithaca, NY, US Last post: 473 days Last view: 85 days |
|
lukegb |
| ||
Newcomer Level: 5 Posts: 2/3 EXP: 373 Next: 156 Since: 02-22-10 Last post: 5178 days Last view: 5178 days |
No, that wasn't me. I'll change it to do something better then. |
blackhole89 |
| ||
The Guardian Moloch whose eyes are a thousand blind windows! Level: 124 Posts: 2908/4196 EXP: 21535740 Next: 300861 Since: 02-19-07 From: Ithaca, NY, US Last post: 473 days Last view: 85 days |
|
lukegb |
| ||
Newcomer Level: 5 Posts: 3/3 EXP: 373 Next: 156 Since: 02-22-10 Last post: 5178 days Last view: 5178 days |
Posted by blackhole89 Yeah, you should |
Mega-Mario |
| ||
Spamming from alt accounts. Level: 81 Posts: 666/1610 EXP: 4880819 Next: 112030 Since: 09-10-08 Last post: 3591 days Last view: 3011 days |
Or can't we just go and make the board unusable under IE<7?
Because IE6 is the vulnerability. Seriously why does it let you do things like < ____________________ Kafuka -- ROM hacking Kuribo64 -- we hack shit |
GreyMaria |
| ||
>implying even the Japanese understand the Japanese Level: 105 Posts: 1876/2851 EXP: 11922395 Next: 339865 Since: 07-13-07 Last post: 4499 days Last view: 4468 days |
Bad practice, and Microsoft, respectively. ____________________ we're currently experiencing some technical difficulties |
Mega-Mario |
| ||
Spamming from alt accounts. Level: 81 Posts: 670/1610 EXP: 4880819 Next: 112030 Since: 09-10-08 Last post: 3591 days Last view: 3011 days |
But wait, that's even worse than the < The W3Schools website says that the width property can be either inherited, auto, a percentage or a length in px/cm/etc... That seems like yet another IE-specific crap... serisouly... why does Micro$oft always bother adding nonstandard crap in their browser rather than making it respect CSS standards? It's just a waste of time, because noone is ever going to use that crap because they know it will only work under IE! And I wasted my 666th post... Edit- there's another problem. This one issue might be hard to filter because it can be in an external stylesheet (like it's the case here). It'd require opening the stylesheet in question and removing its inclusion if it contains JS. ____________________ Kafuka -- ROM hacking Kuribo64 -- we hack shit |
Cellar Dweller |
| ||
Snifit Level: 39 Posts: 196/287 EXP: 385237 Next: 19534 Since: 02-19-07 From: Arkansas Last post: 4053 days Last view: 3221 days |
Posted by lukegbPosted by blackhole89 I suggested using a validating parser way back during I2. Speaking of the filtering code, an updated version of PHP is in the Debian security archive that fixes a recently disclosed bug in htmlspecialchars() that can be used to dodge some of the filtering by using overlong forms of multibyte characters. This got me thinking that all of the regex based filtering used by all versions of AcmlmBoard are vulnerable to the same kind of attack. Posted by Mega-Mario That won't work, as a clean stylesheet could be used until it has been checked. After that, the stylesheet could be replaced with a dirty one. Also, the server hosting it could be configured to serve different versions depending on where the request is coming from. |
blackhole89 |
| ||
The Guardian Moloch whose eyes are a thousand blind windows! Level: 124 Posts: 2910/4196 EXP: 21535740 Next: 300861 Since: 02-19-07 From: Ithaca, NY, US Last post: 473 days Last view: 85 days |
|
Mega-Mario |
| ||
Spamming from alt accounts. Level: 81 Posts: 671/1610 EXP: 4880819 Next: 112030 Since: 09-10-08 Last post: 3591 days Last view: 3011 days |
Posted by blackhole89 NO! Another alternative would require the board to download the stylesheet, look for JS in it and remove its inclusion if there's any. But that'd be tricky. Posted by blackhole89 No, it doesn't affect decent CSS-compliant browsers, of course. It only affects IE because Micro$oft always comes up with nonstandard crap that makes their browser and everything vulnerable ____________________ Kafuka -- ROM hacking Kuribo64 -- we hack shit |
MapleMario |
| ||
Red Koopa Level: 27 Posts: 45/126 EXP: 111449 Next: 4710 Since: 04-28-07 From: USA Last post: 5071 days Last view: 3890 days |
Can you take a look at the usage stats of board2? If IE6 is sufficiently low (which I assume it is, since this is largely a community of smart people), you could probably just put a huge warning at the top using a conditional comment for IE6 that warns users about possible security holes when using IE6. ____________________ SGMB3 is now being developed with Reuben. Hopefully v1.0 will be released by the time I get world 1 done... - Layout: MM v0.31 |
Kawa |
| ||
CHIKKN NI A BAAZZKIT!!! 80's Cheerilee is best pony Level: 138 Posts: 3288/5344 EXP: 30948892 Next: 714089 Since: 02-20-07 From: The Netherlands Last post: 4500 days Last view: 2635 days |
Posted by MapleMarioAn excellent idea, MapleMario. However, I would suggest the following changes: 1) Conditional comments are not required -- this is a PHP site and PHP can sniff out specific browsers just fine. 2) Don't make the warning obnoxiously large, cos that will only make you look like a total dick. 3) Disable postlayouts altogether if you detect IE6 or lower to actually prevent bullshit instead of merely warning about it. ____________________ Wife make lunch - Shampoo Opera - give it a spin Spare some of your free time? <GreyMaria> I walked around the Lake so many goddamn times that my sex drive was brutally murdered Kawa rocks — byuu |
Mega-Mario |
| ||
Spamming from alt accounts. Level: 81 Posts: 673/1610 EXP: 4880819 Next: 112030 Since: 09-10-08 Last post: 3591 days Last view: 3011 days |
Those are all good ideas, Kawa.
Except for the first point, what if the browser is disguising as another browser by a changed user agent? though, I don't think IE can do that... ____________________ Kafuka -- ROM hacking Kuribo64 -- we hack shit |
GreyMaria |
| ||
>implying even the Japanese understand the Japanese Level: 105 Posts: 1878/2851 EXP: 11922395 Next: 339865 Since: 07-13-07 Last post: 4499 days Last view: 4468 days |
Why the hell would you need to disguise as IE6 on a site that works just fine in any reputable browser ever? ____________________ we're currently experiencing some technical difficulties |
Kawa |
| ||
CHIKKN NI A BAAZZKIT!!! 80's Cheerilee is best pony Level: 138 Posts: 3289/5344 EXP: 30948892 Next: 714089 Since: 02-20-07 From: The Netherlands Last post: 4500 days Last view: 2635 days |
Posted by Mega-MarioNot to my knowledge, it can't. ____________________ Wife make lunch - Shampoo Opera - give it a spin Spare some of your free time? <GreyMaria> I walked around the Lake so many goddamn times that my sex drive was brutally murdered Kawa rocks — byuu |
Arbe |
| ||
go away Level: 86 Posts: 1766/1788 EXP: 5988119 Next: 153988 Since: 02-23-07 Last post: 4971 days Last view: 1540 days |
this board was written by people with no idea about real security, then maintained by someone who, looking back on the board's history, learned design security from XSS cheat sheets. it'll never be vulnerability free. |
blackhole89 |
| ||
The Guardian Moloch whose eyes are a thousand blind windows! Level: 124 Posts: 2913/4196 EXP: 21535740 Next: 300861 Since: 02-19-07 From: Ithaca, NY, US Last post: 473 days Last view: 85 days |
|
Mega-Mario |
| ||
Spamming from alt accounts. Level: 81 Posts: 677/1610 EXP: 4880819 Next: 112030 Since: 09-10-08 Last post: 3591 days Last view: 3011 days |
Posted by GreyMario Allright, it'd be a rather bad idea. Posted by Arbe Allright. Look at the Acmlmboard source code of 1.x versions. Look at how user input is sanitized before being passed to SQL queries. Strings are addslashes()'d and integers aren't even sanitized! omg. According to what I can read from the archives, they also didn't know what database backups were for. And when they were getting hacked, they always went "oh, due to an unfortunate event the board has been restored from a 3 year old backup... if some things are missing feel free to ask us " ____________________ Kafuka -- ROM hacking Kuribo64 -- we hack shit |
MapleMario |
| ||
Red Koopa Level: 27 Posts: 51/126 EXP: 111449 Next: 4710 Since: 04-28-07 From: USA Last post: 5071 days Last view: 3890 days |
Could also use this same hack to make a jQuery call to a PHP page that adds the user's browser to a blacklist of hackable browsers, in case IE6 isn't the only one that does it. Then, like someone suggested, just disable custom stylesheets from those browsers. ____________________ SGMB3 is now being developed with Reuben. Hopefully v1.0 will be released by the time I get world 1 done... - Layout: MM v0.31 |
Main - Help/Suggestions/Bug Reports - Post Layouts, Javascript, CSS and IE <7 | New thread | New reply |
© 2005-2023 Acmlm, blackhole89, Xkeeper et al. |
MySQL - queries: 62, rows: 90/91, time: 0.016 seconds. |