[NOTABUG] Got past the untaint check!

You are not logged in. [Log In] UBB.threads Community » Forums » UBB.classic Discussion » [Archived] UBB.classic Bugs » [NOTABUG] Got past the untaint check!

Site Links

Top Posters (30 Days)

Latest Photos

Topic Options

Rate This Topic

#113891 - 01/30/05 07:38 PM [NOTABUG] Got past the untaint check!
oracleweb member Registered: 04/07/04 Posts: 141	w00t! http://www.ubbcentral.com/cgi-bin/ultimatebb.cgi?ubb=recent_user_posts I was viewing a member's recent posts on my forum ( http://www.ianspence.com/cgi-bin/ultimatebb.cgi?ubb=recent_user_posts;u=00000071 ) I then went to check mine. Knowing I'm #1 , I deleted the 7 and forgot it had to be 8 numbers long. Anyhoo, I got past the check. I then checked here to make sure it wasn't one of my modifications.
Top

#113892 - 01/30/05 07:40 PM Re: [NOTABUG] Got past the untaint check!
Ron M Registered: 06/04/06 Posts: 358 Loc: Des Moines, IA	How did you get past the untaint check? at CGIPath/ubb_profile.cgi line 1142. This can be confirmed on an unmodified 6.7.2 board (mine) _________________________ Threads Alpha Tester My Homepage
Top

#113893 - 01/30/05 09:50 PM Re: [NOTABUG] Got past the untaint check!
Gizmo Registered: 06/04/06 Posts: 11967 Loc: Portland, OR; USA	Confirmed on my 6.7.2 modified forum; it's kinda fun to add more/less "0's" to the address bar for the user number; it gets past in either direction. _________________________ UGN Security, Elite Web Gamers & VNC Web Design Owner Longtime UBB Supporter, UBB7 Beta Tester & Resident Post-A-Holic
Top

#113894 - 01/31/05 10:32 AM Re: [NOTABUG] Got past the untaint check!
David Dreezer Pooh-Bah Registered: 07/21/06 Posts: 1781	This is the designed behavior - you didn't actually pass in a valid eight digit user number. The code intentionally does not forcefully mangle the number. _________________________ What do you mean "You're the bomb, run away?"
Top

#113895 - 01/31/05 08:15 PM Re: [NOTABUG] Got past the untaint check!
Gizmo Registered: 06/04/06 Posts: 11967 Loc: Portland, OR; USA	Wouldn't it instead make more sense to state "you have not entered a valid 8 digit member id" vs "you have bypassed the taint check"? _________________________ UGN Security, Elite Web Gamers & VNC Web Design Owner Longtime UBB Supporter, UBB7 Beta Tester & Resident Post-A-Holic
Top

#113896 - 02/01/05 07:13 AM Re: [NOTABUG] Got past the untaint check!
David Dreezer Pooh-Bah Registered: 07/21/06 Posts: 1781	There are no conditions in which an invalid link can be generated to that page. The error isn't meant to be user-friendly, as it's one of those "this can't happen" errors. _________________________ What do you mean "You're the bomb, run away?"
Top

#113897 - 02/01/05 09:08 AM Re: [NOTABUG] Got past the untaint check!
Gizmo Registered: 06/04/06 Posts: 11967 Loc: Portland, OR; USA	Yeh, but there are many ways that a user can mess a direct link to that page up in a sig/post then whine that the board has a bug lol _________________________ UGN Security, Elite Web Gamers & VNC Web Design Owner Longtime UBB Supporter, UBB7 Beta Tester & Resident Post-A-Holic
Top

Hop to:

Shout Box

Today's Birthdays