Dangerous flaw in forum software?

[Richard Williams]

Check out the 'Classical Leica Camera' adverts currently on the Leica

forum. Both the 'intellitext' box and the submit button have been

hijacked/replaced so that they link to a 3rd party site selected by

the scam poster (the adverts are for fake Leicas). It's a bit worrying

that this is so easy to do!

[mottershead]

Well, there are two issues here. One is that 'Leica Singapore' is spamming the Leica forum with an ad. That happens from time to time, and the moderators simply delete the posts and ban the poster, depending on how much it looks like malice/abuse versus simply cluelessness/honest mistake. I'd go with the malice/abuse theory on this one.

 

A more significant issue is the continuing problem we have with the forum software which is that since this site started we have allowed people to post HTML as well as plain text. Even though we filter the HTML to try to prevent people from posting HTML that is malevalent, such as blocking the use of <script> tags, people are always finding new ways around this. HTML browsers are complex.

 

Even when they aren't trying to insert some malevalent HTML into threads, people also just make dumb mistakes with their HTML. For example, they don't close tags, and suddenly every follwing post in the thread is bold, or italics. In this case, Leica Singapore didn't close an <a> tag, making everything after that in the thread including the keyword text that is normally processed by Intellitxt part of the last anchor in his post. I'm going to assume that this was a "innocent" mistake.

 

I have been on the verge of turning off the ability to post HTML many times -- every time something like this happens. I've always relented because most people use this feature to do perfectly reasonable things, and most of the "innocent" mistakes are quickly observed and rectified. But, once again, I am wondering whether this is the right decision.

[mattalofs]

Having forgotten to close a few tags myself, it might be useful to check for closing tags, particularing </a>. Shouldn't be that hard should it?

 

I'd hate to see html postings blocked entirely.

[michaelkh]

Brian, you could try passing each comment through HTML Tidy (you pad the fragment out

with a standard page, then strip off the standard page in the result). You would probably

also want to strip out CSS.

 

Alternatively, what about, as you suggest, canning HTML and replacing it with Markdown

or Textile? both of these have another major advantage - the plain text would be readable

in emails sent from the site.

[Richard Williams]

Whether the current example is 'innocent' or not, this highlights a significant vulnerability of the forums to potential misuse. Imagine if the 'contribute an answer' button was linked by this trick to a fake photo.net login phishing page, or to a malicious site containing the IE 'exploit of the month'. A suitably provocative posting (anything about the Iraq war in the Leica or Street forums, or a good old fashioned Canon vs Nikon troll!) could elicit lots of attempted replies, and there'd be no way to post a warning to that thread until it was deleted by a moderator.

[mark_houlder2]

the only way you can 100% safely (well, close to 100%) allow people to edit the site by posting ads like this is to disable HMTL and other markup, IMO. All someone has to do is link to a dodgy site and, for one example, anyone following that link with IE6 could be immediately downloading a virus or other malware (such as the rather too commonplace remote IE exploits which require only the right server-side data to be requested to compromise the user's machine).

 

The only way to safely allow user's posting to the site is to presume all such posts to be hostile, and to treat them as such. Any other policy will always be exploitable to those who know what they're doing.

[mottershead]

Of course, you don't have to be able to write HTML in a post to link to a "dodgy site", etc. Almost all forum software is going to let you put URL's into posts and have them be made into hot links. Even in our plain text posts, anything that looks like a URL (i.e. http://something) is going to be made hot. This is a feature which people demanded because it is provided, supposedly, by more "modern" forum software.

[jt]

But a link to a dodgy site that is blue and clickable and looks (at least vaguely) like a link inside a user's post is a lot less 'dangerous' than a link that takes over the function of the 'submit' (or any other genuine photo.net) button; someone clicking a link that says "click here" and then being sent to a dodgy site is quite different - as mentioned above - to clicking 'submit' and being sent to either a spoofed 'your p.net account timed out, please enter your id and password to continue' or an IE-exploit site.

[mark_houlder2]

my point is that allowing users to post mark-up is inherently dangerous. it doesn't even have to be a link - one line of javascript inside a <script> tag can redirect 95% of user's browsers to anywhere on the internet. The point is that if you want to protect against malicious postings, the only foolproof way is to disable posting of mark-up. And that's not likely to be 100% foolproof either (but it's a good start).

 

If you allow mark-up to be posted, you have to accept that you cannot control what people do with that mark-up.

[mottershead]

I know all this. I realize that HTML posts are a vulnerability, as I said. We don't allow many tags in HTML, including <script>, and we close other vulnerabilities as we find them, but it remains true that people can use the HTML in their posts to deface the site or deceive people until they are caught or banned. We have a few incidents per year of people abusing this feature, but most people use the capability responsibly to do things that would otherwise be difficult to do.

 

Fortunately, this is a photography web site, not a bank.