• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Arbitrary (javascript) code injection allowed through profile page

Page 3 - Seeking answers? Join the AnandTech community: where nearly half-a-million members share solutions and discuss the latest tech.
Is there a way to use Noscript and still maintain basic functionality of this forum, or are we pretty much screwed there? (I can't go to the next page of a thread without modifying the url, quick reply doesn't really work that well, and my forums is basically useless)
 
Originally posted by: Chris
I thought we were going to VB. What's the status?
Click to expand...

VB is being developed for Anandtech, alongside Duke Nuk'em Forever.

When DNF comes out, AT will switch to VB
 
Originally posted by: Captain Howdy
Is there a way to use Noscript and still maintain basic functionality of this forum, or are we pretty much screwed there? (I can't go to the next page of a thread without modifying the url, quick reply doesn't really work that well, and my forums is basically useless)
Click to expand...

White list forums.anandtech.com in Noscript. The XSS stuff still runs even on a white listed site, there are very few (3) exceptions, I believe.
 
Originally posted by: skace
Originally posted by: Captain Howdy
Is there a way to use Noscript and still maintain basic functionality of this forum, or are we pretty much screwed there? (I can't go to the next page of a thread without modifying the url, quick reply doesn't really work that well, and my forums is basically useless)
Click to expand...

White list forums.anandtech.com in Noscript. The XSS stuff still runs even on a white listed site, there are very few (3) exceptions, I believe.
Click to expand...

This. NoScript will allow scripts from the local site to run (meaning a potential script to point to something offsite will run) when the given site is on the whitelist. However, any ENTIRE malicious script would have to run directly from AnandTech (which you would have whitelisted) in order to actually execute. Any script coming from an arbitrary server off site would automatically be blacklisted on the page read.

Now mind you - it is entirely possibly to craft a script that would run directly off of the AnandTech server with this injection exploit, however its utility would be somewhat limited but still possibly dangerous.
 
Hello all, it's a bit overdue that I'm posting to this thread, but I was made aware of the issue last week and we took care of it to the best of our ability. The code injection was corrected last week and there is no further risk for that happening.

Security is of the utmost importance to me, and even though direct forum administration is not my job, I do take it upon myself to get involved when necessary to help address those issues.

On a side note, vB is quite close now. It would have already been done as the infrastructure is ready, but there are some other surprises that will be happening at the same time so it must be coordinated together. It is a very large project so once you see the results, I hope you will understand (some) of the delays. 😀
 
Originally posted by: Not my fault
Hello all, it's a bit overdue that I'm posting to this thread, but I was made aware of the issue last week and we took care of it to the best of our ability. The code injection was corrected last week and there is no further risk for that happening.

Security is of the utmost importance to me, and even though direct forum administration is not my job, I do take it upon myself to get involved when necessary to help address those issues.

On a side note, vB is quite close now. It would have already been done as the infrastructure is ready, but there are some other surprises that will be happening at the same time so it must be coordinated together. It is a very large project so once you see the results, I hope you will understand (some) of the delays. 😀
Click to expand...

Will you be changing your name to "The Buck Stops Here"?
 
Originally posted by: Not my fault
Hello all, it's a bit overdue that I'm posting to this thread, but I was made aware of the issue last week and we took care of it to the best of our ability. The code injection was corrected last week and there is no further risk for that happening.

Security is of the utmost importance to me, and even though direct forum administration is not my job, I do take it upon myself to get involved when necessary to help address those issues.

On a side note, vB is quite close now. It would have already been done as the infrastructure is ready, but there are some other surprises that will be happening at the same time so it must be coordinated together. It is a very large project so once you see the results, I hope you will understand (some) of the delays. 😀
Click to expand...

I'm going to assume that you're doing some back end validation now, because the profile form hasn't changed any. Unfortunately, I'm not willing to be banned, so I'm going to "take your word for it" for the time being.
 
A user changed his avatar again today in a thread so I doubt this is fixed at all. I also am not going to go messing around but FT is fundamentally a piece of shit and there's no helping it. I don't know who is using that moniker but to say security is of the utmost importance to you is kind of joke in my opinion.

There aren't enough bells and whistles in the world that make up for the ridiculous amount of time it has taken to get over to VB.
 
Originally posted by: SunnyD
Originally posted by: skace
Originally posted by: Captain Howdy
Is there a way to use Noscript and still maintain basic functionality of this forum, or are we pretty much screwed there? (I can't go to the next page of a thread without modifying the url, quick reply doesn't really work that well, and my forums is basically useless)
Click to expand...

White list forums.anandtech.com in Noscript. The XSS stuff still runs even on a white listed site, there are very few (3) exceptions, I believe.
Click to expand...

This. NoScript will allow scripts from the local site to run (meaning a potential script to point to something offsite will run) when the given site is on the whitelist. However, any ENTIRE malicious script would have to run directly from AnandTech (which you would have whitelisted) in order to actually execute. Any script coming from an arbitrary server off site would automatically be blacklisted on the page read.

Now mind you - it is entirely possibly to craft a script that would run directly off of the AnandTech server with this injection exploit, however its utility would be somewhat limited but still possibly dangerous.
Click to expand...
So, by allowing "forums.anandtech.com" or "anandtech.com" in NoScript we're mostly safe but not entirely till this is fixed?
 
Originally posted by: Spacehead
Originally posted by: SunnyD
Originally posted by: skace
Originally posted by: Captain Howdy
Is there a way to use Noscript and still maintain basic functionality of this forum, or are we pretty much screwed there? (I can't go to the next page of a thread without modifying the url, quick reply doesn't really work that well, and my forums is basically useless)
Click to expand...

White list forums.anandtech.com in Noscript. The XSS stuff still runs even on a white listed site, there are very few (3) exceptions, I believe.
Click to expand...

This. NoScript will allow scripts from the local site to run (meaning a potential script to point to something offsite will run) when the given site is on the whitelist. However, any ENTIRE malicious script would have to run directly from AnandTech (which you would have whitelisted) in order to actually execute. Any script coming from an arbitrary server off site would automatically be blacklisted on the page read.

Now mind you - it is entirely possibly to craft a script that would run directly off of the AnandTech server with this injection exploit, however its utility would be somewhat limited but still possibly dangerous.
Click to expand...
So, by allowing "forums.anandtech.com" or "anandtech.com" in NoScript we're mostly safe but not entirely till this is fixed?
Click to expand...

Pretty much.
 
I'm still trying to figure out how security could be of so much importance, yet little is being done to correct the issue.

My immediate action would be to port the database over to vB (which I'm sure is already possible, if not, what the fuck?). Then, and this concept might blow your mind, I would start to work on the additions that I think would make vB even more superior as a forum software (not being FuseTalk already makes it awesome).

I mean, seriously. Why not just move the basics over right now? I don't think anyone really gives a fuck about these new features, they'd rather just have the current ones, but actually functional. We want secure forums, because we all know what happened last time.

That was nearly three years ago. How much longer are you going to wait?
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top