Site Links
Home
Features
Documentation
Pricing & Order
Members Area
Support Options
UBBDev.com
UBBWiki.com
Who's Online Now
4 registered members (Gizmo, isaac, JAISP, Geoff), 66 guests, and 38 spiders.
Key: Admin, Global Mod, Mod
Member Spotlight
Mark S
Mark S
Liverpool : England : UK
Posts: 4,715
Joined: July 2006
Show All Member Profiles 
Top Posters(30 Days)
isaac 59
Gizmo 44
Geoff 35
Morgan 30
ECNet 17
Ruben 14
Mark S 11
JAISP 10
Bert 8
Latest Photos
Chinese Buddhist temple.
My buddha beads.
Rendered Walls
Multi-Screen wallpaper
Stockholm Metro
Previous Thread
Next Thread
Print Thread
Security Issues From Thread Title Punctuation? #252879
06/04/13 10:19 PM
06/04/13 10:19 PM
Joined: Oct 2008
Posts: 78
Parsonsfield, Maine (U.S.)
PianoWorld Offline OP
journeyman
PianoWorld  Offline OP
journeyman
Joined: Oct 2008
Posts: 78
Parsonsfield, Maine (U.S.)
One of our members who is an experienced coder brought up this issue, caused by improper encoding. Is this a known issue? Fix?

===========================================================
It's a bug in the forum software. For search engine optimization, it puts the thread title in the URL, but... it's not encoding the special characters properly like it should.

It's a common mistake in web applications, and the consequences range from minor inconvenience (things don't work quite right) to major security vulnerabilities such as cross-site scripting. The latter can allow an attacker to hijack the login sessions of other users - or administrators.



There i s a bug in the forum software which causes problems with topics whose subject lines contain certain types of punctuation (quotes, ampersands, percent signs, etc). Usually the effect is to prevent it from jumping to the latest unread message after clicking on a topic. Sometimes it prevents accessing the topic altogether (Rickster reports that percent signs tend to do this.)

The problem is the software is not properly encoding/removing special characters from the subject when constructing SEO-friendly URLs on the topic list page. This type of bug is also the cause of a common and serious security vulnerability (cross site scripting, also known as "XSS") which can result in unauthorized access to other users' and administrators' accounts.

To see an example thread with this problem, look at the Piano Forum for the topic t itled 'My impressions of "Piano Row" in NYC (Faust, Allegro, Klav)' which has quotation marks in the subject line.

If you view the HTML of the topic list on the Piano Forum, you will see this:

Code:
<a href="/forum/ubbthreads.php/topics/2091873/My impressions of "Piano Row" .html#Post2091873">

Notice there are several problems with the URL. The quotation marks are not encoded, and the URL includes spaces. I looked around at a few other UBB.threads forums on the web, and those which have SEO-friendly URLs enabled typically would encode the URL like this:

Code:
<a href="/forum/ubbthreads.php/topics/2091873/My_impressions_of_Piano_Row_in.html#Post2091873">

Two example UBB.threads forums which encode correctly:

http://www.guitars.co.uk/forum/ubbthreads.php/forums/1/1/Electric_Guitar_Forum (version 7.5.7)
http://www.24hourcampfire.com/ubbthreads/ubbthreads.php/forums/21/1/Hunter_s_Campfire (version 7.5.3p2)


What puzzles me is one of the above forums is on an older version, and the other is newer. That leads me to suspect that the PianoWorld SEO was add ed by installing 3rd-party code, whereas these other forums use the built-in UBB.threads feature?

Anyway, I thought I'd report the bug because of the possible security implications. The above should be enough information to file a bug report or support request with whomever handles systems administration.

If there's any way I can help further, just send me a message.

Andy Skalski
=================================================
Thanks for any help,

Frank Baxter
Piano World
www.pianoworld.com/forum


Founder/Host
Piano World
https://PianoWorld.com
Home of the world famous Piano Forums.
http://forum.pianoworld.com
88,000+ registered members
Over 2.5 million posts, and growing...
Express Hosting
Express Hosting "We are the official hosting company of UBB.threads. Ask us about our free migration services to migrate your UBB.threads installation."
Re: Security Issues From Thread Title Punctuation? [Re: PianoWorld] #252883
06/05/13 03:41 PM
06/05/13 03:41 PM
Joined: Dec 2003
Posts: 5,842
Lutz,FL
Ruben Offline

Ruben  Offline


Joined: Dec 2003
Posts: 5,842
Lutz,FL
Quote:
What puzzles me is one of the above forums is on an older version, and the other is newer. That leads me to suspect that the PianoWorld SEO was add ed by installing 3rd-party code, whereas these other forums use the built-in UBB.threads feature?

I understand that this is a issue but...
You state that:
Quote:
That leads me to suspect that the PianoWorld SEO was add ed by installing 3rd-party code

So what do you suggest, disable any modifications?

BTW,
When I visit your site I do see the the URL in question but on normal navigation I do not. That leads me to believe that the html/seo settings have changed back and forth.


Blue Man Group


There is no such thing as stupid questions. Just stupid answers

Shout Box
Today's Birthdays
No Birthdays
Recent Topics
Upgrade 7.5.5 -> 7.6.1 Missing Files
by mgellan. 01/23/18 01:05 PM
Moderators Cant See Forums
by peter gariepy. 01/22/18 10:26 PM
Moderator 7.6.1.1 - Adding Issue?
by Geoff. 01/22/18 03:34 PM
Active Links - reduce the length?
by peter gariepy. 01/22/18 12:53 AM
Upgrading from 7.6.0 to 7.6.1
by Baldeagle. 01/20/18 01:07 PM
Forum Statistics
Forums36
Topics35,053
Posts190,813
Members12,052
Most Online978
Jun 24th, 2007
Random Image
Powered by UBB.threads™ PHP Forum Software 7.6.1.1