Richard Williams Posted August 28, 2005 Share Posted August 28, 2005 Check out the 'Classical Leica Camera' adverts currently on the Leica forum. Both the 'intellitext' box and the submit button have been hijacked/replaced so that they link to a 3rd party site selected by the scam poster (the adverts are for fake Leicas). It's a bit worrying that this is so easy to do! Link to comment Share on other sites More sharing options...
mottershead Posted August 28, 2005 Share Posted August 28, 2005 Well, there are two issues here. One is that 'Leica Singapore' is spamming the Leica forum with an ad. That happens from time to time, and the moderators simply delete the posts and ban the poster, depending on how much it looks like malice/abuse versus simply cluelessness/honest mistake. I'd go with the malice/abuse theory on this one. A more significant issue is the continuing problem we have with the forum software which is that since this site started we have allowed people to post HTML as well as plain text. Even though we filter the HTML to try to prevent people from posting HTML that is malevalent, such as blocking the use of <script> tags, people are always finding new ways around this. HTML browsers are complex. Even when they aren't trying to insert some malevalent HTML into threads, people also just make dumb mistakes with their HTML. For example, they don't close tags, and suddenly every follwing post in the thread is bold, or italics. In this case, Leica Singapore didn't close an <a> tag, making everything after that in the thread including the keyword text that is normally processed by Intellitxt part of the last anchor in his post. I'm going to assume that this was a "innocent" mistake. I have been on the verge of turning off the ability to post HTML many times -- every time something like this happens. I've always relented because most people use this feature to do perfectly reasonable things, and most of the "innocent" mistakes are quickly observed and rectified. But, once again, I am wondering whether this is the right decision. Link to comment Share on other sites More sharing options...
mattalofs Posted August 28, 2005 Share Posted August 28, 2005 Having forgotten to close a few tags myself, it might be useful to check for closing tags, particularing </a>. Shouldn't be that hard should it? I'd hate to see html postings blocked entirely. Link to comment Share on other sites More sharing options...
michaelkh Posted August 28, 2005 Share Posted August 28, 2005 Brian, you could try passing each comment through HTML Tidy (you pad the fragment out with a standard page, then strip off the standard page in the result). You would probably also want to strip out CSS. Alternatively, what about, as you suggest, canning HTML and replacing it with Markdown or Textile? both of these have another major advantage - the plain text would be readable in emails sent from the site. Link to comment Share on other sites More sharing options...
Richard Williams Posted August 28, 2005 Author Share Posted August 28, 2005 Whether the current example is 'innocent' or not, this highlights a significant vulnerability of the forums to potential misuse. Imagine if the 'contribute an answer' button was linked by this trick to a fake photo.net login phishing page, or to a malicious site containing the IE 'exploit of the month'. A suitably provocative posting (anything about the Iraq war in the Leica or Street forums, or a good old fashioned Canon vs Nikon troll!) could elicit lots of attempted replies, and there'd be no way to post a warning to that thread until it was deleted by a moderator. Link to comment Share on other sites More sharing options...
mark_houlder2 Posted August 28, 2005 Share Posted August 28, 2005 the only way you can 100% safely (well, close to 100%) allow people to edit the site by posting ads like this is to disable HMTL and other markup, IMO. All someone has to do is link to a dodgy site and, for one example, anyone following that link with IE6 could be immediately downloading a virus or other malware (such as the rather too commonplace remote IE exploits which require only the right server-side data to be requested to compromise the user's machine). The only way to safely allow user's posting to the site is to presume all such posts to be hostile, and to treat them as such. Any other policy will always be exploitable to those who know what they're doing. Link to comment Share on other sites More sharing options...
mottershead Posted August 28, 2005 Share Posted August 28, 2005 Of course, you don't have to be able to write HTML in a post to link to a "dodgy site", etc. Almost all forum software is going to let you put URL's into posts and have them be made into hot links. Even in our plain text posts, anything that looks like a URL (i.e. http://something) is going to be made hot. This is a feature which people demanded because it is provided, supposedly, by more "modern" forum software. Link to comment Share on other sites More sharing options...
jt Posted August 29, 2005 Share Posted August 29, 2005 But a link to a dodgy site that is blue and clickable and looks (at least vaguely) like a link inside a user's post is a lot less 'dangerous' than a link that takes over the function of the 'submit' (or any other genuine photo.net) button; someone clicking a link that says "click here" and then being sent to a dodgy site is quite different - as mentioned above - to clicking 'submit' and being sent to either a spoofed 'your p.net account timed out, please enter your id and password to continue' or an IE-exploit site. Link to comment Share on other sites More sharing options...
mark_houlder2 Posted August 29, 2005 Share Posted August 29, 2005 my point is that allowing users to post mark-up is inherently dangerous. it doesn't even have to be a link - one line of javascript inside a <script> tag can redirect 95% of user's browsers to anywhere on the internet. The point is that if you want to protect against malicious postings, the only foolproof way is to disable posting of mark-up. And that's not likely to be 100% foolproof either (but it's a good start). If you allow mark-up to be posted, you have to accept that you cannot control what people do with that mark-up. Link to comment Share on other sites More sharing options...
mottershead Posted August 29, 2005 Share Posted August 29, 2005 I know all this. I realize that HTML posts are a vulnerability, as I said. We don't allow many tags in HTML, including <script>, and we close other vulnerabilities as we find them, but it remains true that people can use the HTML in their posts to deface the site or deceive people until they are caught or banned. We have a few incidents per year of people abusing this feature, but most people use the capability responsibly to do things that would otherwise be difficult to do. Fortunately, this is a photography web site, not a bank. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now