Previous Thread
Next Thread
Print Thread
Hop To
[NOTABUG] Got past the untaint check! #113891 01/30/2005 11:38 PM
Joined: Apr 2004
Posts: 141
oracleweb Offline OP
member
OP Offline
member
Joined: Apr 2004
Posts: 141
w00t!

http://www.ubbcentral.com/cgi-bin/ultimatebb.cgi?ubb=recent_user_posts

I was viewing a member's recent posts on my forum

( http://www.ianspence.com/cgi-bin/ultimatebb.cgi?ubb=recent_user_posts;u=00000071 )

I then went to check mine. Knowing I'm #1 <img src="https://www.ubbcentral.com/boards/images/graemlins/tongue.gif" alt="" /> , I deleted the 7 and forgot it had to be 8 numbers long. Anyhoo, I got past the check. I then checked here to make sure it wasn't one of my modifications.

Express Hosting
Re: [NOTABUG] Got past the untaint check! #113892 01/30/2005 11:40 PM
Joined: Jun 2006
Posts: 346
Ron M Offline
enthusiast
Offline
enthusiast
Joined: Jun 2006
Posts: 346
How did you get past the untaint check? at CGIPath/ubb_profile.cgi line 1142.

This can be confirmed on an unmodified 6.7.2 board (mine)

Re: [NOTABUG] Got past the untaint check! #113893 01/31/2005 1:50 AM
Joined: Jun 2006
Posts: 15,851
Gizmo Online Tapedshut
UBB.threads Developer
Online Tapedshut
UBB.threads Developer
Joined: Jun 2006
Posts: 15,851
Confirmed on my 6.7.2 modified forum; it's kinda fun to add more/less "0's" to the address bar for the user number; it gets past in either direction.


I am a Web Development Contractor, I do not work for UBBCentral. I have provided free User to User Support since the beginning of these support forums.
Need to Upgrade?
Forums: A Gardeners Forum Scouters World
UBB.threads: UBBWiki, UBB Styles, UBB.Sitemaps
Longtime Supporter & Resident Post-A-Holic
VNC Web Services: Code Modifications, Upgrades, Styling, Coding Services, Disaster Recovery, and more!
Re: [NOTABUG] Got past the untaint check! #113894 01/31/2005 2:32 PM
Joined: Jul 2006
Posts: 2,144
David Dreezer Offline
Pooh-Bah
Offline
Pooh-Bah
Joined: Jul 2006
Posts: 2,144
This is the designed behavior - you didn't actually pass in a valid eight digit user number. The code intentionally does not forcefully mangle the number.


This thread for sale. Click here! [Linked Image from navaho.infopop.cc]
Re: [NOTABUG] Got past the untaint check! #113895 02/01/2005 12:15 AM
Joined: Jun 2006
Posts: 15,851
Gizmo Online Tapedshut
UBB.threads Developer
Online Tapedshut
UBB.threads Developer
Joined: Jun 2006
Posts: 15,851
Wouldn't it instead make more sense to state "you have not entered a valid 8 digit member id" vs "you have bypassed the taint check"?


I am a Web Development Contractor, I do not work for UBBCentral. I have provided free User to User Support since the beginning of these support forums.
Need to Upgrade?
Forums: A Gardeners Forum Scouters World
UBB.threads: UBBWiki, UBB Styles, UBB.Sitemaps
Longtime Supporter & Resident Post-A-Holic
VNC Web Services: Code Modifications, Upgrades, Styling, Coding Services, Disaster Recovery, and more!
Re: [NOTABUG] Got past the untaint check! #113896 02/01/2005 11:13 AM
Joined: Jul 2006
Posts: 2,144
David Dreezer Offline
Pooh-Bah
Offline
Pooh-Bah
Joined: Jul 2006
Posts: 2,144
There are no conditions in which an invalid link can be generated to that page. The error isn't meant to be user-friendly, as it's one of those "this can't happen" errors.


This thread for sale. Click here! [Linked Image from navaho.infopop.cc]
Re: [NOTABUG] Got past the untaint check! #113897 02/01/2005 1:08 PM
Joined: Jun 2006
Posts: 15,851
Gizmo Online Tapedshut
UBB.threads Developer
Online Tapedshut
UBB.threads Developer
Joined: Jun 2006
Posts: 15,851
Yeh, but there are many ways that a user can mess a direct link to that page up in a sig/post then whine that the board has a bug lol


I am a Web Development Contractor, I do not work for UBBCentral. I have provided free User to User Support since the beginning of these support forums.
Need to Upgrade?
Forums: A Gardeners Forum Scouters World
UBB.threads: UBBWiki, UBB Styles, UBB.Sitemaps
Longtime Supporter & Resident Post-A-Holic
VNC Web Services: Code Modifications, Upgrades, Styling, Coding Services, Disaster Recovery, and more!

Forum Search
ShoutChat Box
Comment Guidelines: Do post respectful and insightful comments. Don't flame, hate, spam.
Recent Topics
visual accessibility issues.v7.7.3
by Ruben - 08/21/2019 1:50 PM
Holy grail to fix compatibility bewteen browsers
by Ruben - 08/20/2019 4:25 PM
File Manager and Image Uploads
by Ty Griffin - 08/19/2019 4:48 PM
Minimum Post Character Count
by M4TT - 08/19/2019 1:58 PM
[FIXED for 7.7.4] Strange Merge Issue
by Baldeagle - 08/16/2019 3:37 PM
Who's Online Now
2 registered members (isaac, Gizmo), 44 guests, and 191 spiders.
Key: Admin, Global Mod, Mod
Random Gallery Image
Latest Photos
Stones
Amusing Terain Scenics
Sky places
Work spaces
Powered by UBB.threads™ PHP Forum Software 7.7.3