Site Links
Home
Features
Documentation
Pricing & Order
Members Area
Support Options
UBBDev.com
UBBWiki.com
Who's Online Now
3 registered members (isaac, Larry Miller, Ruben), 88 guests, and 219 spiders.
Key: Admin, Global Mod, Mod
Member Spotlight
Posts: 948
Joined: June 2006
Show All Member Profiles 
Top Posters(30 Days)
isaac 19
Gizmo 18
Ruben 17
Morgan 6
Alento 3
driv 2
M4TT 2
Latest Photos
Test
Testing to drag photos
Comfortable Cats
Test
BSA photos
Previous Thread
Next Thread
Print Thread
Security Issues From Thread Title Punctuation? #252879
06/04/13 11:19 PM
06/04/13 11:19 PM
PianoWorld  Offline OP
journeyman
Joined: Oct 2008
Posts: 80
Parsonsfield, Maine (U.S.)
One of our members who is an experienced coder brought up this issue, caused by improper encoding. Is this a known issue? Fix?

===========================================================
It's a bug in the forum software. For search engine optimization, it puts the thread title in the URL, but... it's not encoding the special characters properly like it should.

It's a common mistake in web applications, and the consequences range from minor inconvenience (things don't work quite right) to major security vulnerabilities such as cross-site scripting. The latter can allow an attacker to hijack the login sessions of other users - or administrators.



There i s a bug in the forum software which causes problems with topics whose subject lines contain certain types of punctuation (quotes, ampersands, percent signs, etc). Usually the effect is to prevent it from jumping to the latest unread message after clicking on a topic. Sometimes it prevents accessing the topic altogether (Rickster reports that percent signs tend to do this.)

The problem is the software is not properly encoding/removing special characters from the subject when constructing SEO-friendly URLs on the topic list page. This type of bug is also the cause of a common and serious security vulnerability (cross site scripting, also known as "XSS") which can result in unauthorized access to other users' and administrators' accounts.

To see an example thread with this problem, look at the Piano Forum for the topic t itled 'My impressions of "Piano Row" in NYC (Faust, Allegro, Klav)' which has quotation marks in the subject line.

If you view the HTML of the topic list on the Piano Forum, you will see this:

Code:
<a href="/forum/ubbthreads.php/topics/2091873/My impressions of "Piano Row" .html#Post2091873">

Notice there are several problems with the URL. The quotation marks are not encoded, and the URL includes spaces. I looked around at a few other UBB.threads forums on the web, and those which have SEO-friendly URLs enabled typically would encode the URL like this:

Code:
<a href="/forum/ubbthreads.php/topics/2091873/My_impressions_of_Piano_Row_in.html#Post2091873">

Two example UBB.threads forums which encode correctly:

http://www.guitars.co.uk/forum/ubbthreads.php/forums/1/1/Electric_Guitar_Forum (version 7.5.7)
http://www.24hourcampfire.com/ubbthreads/ubbthreads.php/forums/21/1/Hunter_s_Campfire (version 7.5.3p2)


What puzzles me is one of the above forums is on an older version, and the other is newer. That leads me to suspect that the PianoWorld SEO was add ed by installing 3rd-party code, whereas these other forums use the built-in UBB.threads feature?

Anyway, I thought I'd report the bug because of the possible security implications. The above should be enough information to file a bug report or support request with whomever handles systems administration.

If there's any way I can help further, just send me a message.

Andy Skalski
=================================================
Thanks for any help,

Frank Baxter
Piano World
www.pianoworld.com/forum


Founder/Host
Piano World
https://PianoWorld.com
Home of the world famous Piano Forums.
http://forum.pianoworld.com
88,000+ registered members
Over 2.5 million posts, and growing...
Express Hosting
Express Hosting "We are the official hosting company of UBB.threads. Ask us about our free migration services to migrate your UBB.threads installation."
Re: Security Issues From Thread Title Punctuation? [Re: PianoWorld] #252883
06/05/13 04:41 PM
06/05/13 04:41 PM
R
Ruben  Online Yawn

Joined: Dec 2003
Posts: 5,937
Lutz,FL
Quote:
What puzzles me is one of the above forums is on an older version, and the other is newer. That leads me to suspect that the PianoWorld SEO was add ed by installing 3rd-party code, whereas these other forums use the built-in UBB.threads feature?

I understand that this is a issue but...
You state that:
Quote:
That leads me to suspect that the PianoWorld SEO was add ed by installing 3rd-party code

So what do you suggest, disable any modifications?

BTW,
When I visit your site I do see the the URL in question but on normal navigation I do not. That leads me to believe that the html/seo settings have changed back and forth.


Blue Man Group


There is no such thing as stupid questions. Just stupid answers

Shout Box
Today's Birthdays
No Birthdays
Recent Topics
image test
by JPG. 10/21/18 10:06 AM
Upgrade from a really really old version
by Alento. 10/18/18 06:16 PM
Subscription Feature
by M4TT. 10/16/18 09:34 PM
PHP 7.2 compatibility
by Pak. 10/16/18 06:00 PM
UBB.threads 7.7.0 - Progress Reports
by isaac. 10/13/18 09:34 AM
Forum Statistics
Forums36
Topics35,152
Posts191,522
Members12,109
Most Online978
Jun 24th, 2007
Random Image
Powered by UBB.threads™ PHP Forum Software 7.6.2