Omnimaga

Omnimaga => Site Feedback and Questions => Topic started by: Jim Bauwens on July 29, 2013, 06:45:06 am

Title: Unsecure bb code video blocks
Post by: Jim Bauwens on July 29, 2013, 06:45:06 am
As I demostrated here, http://ourl.ca/19304, you can easily manipulate the URL that gets loaded inside the vimeo player (just an iframe). Although you're still limited to the player.vimeo.com domain (you can load any site on that domain) I think here should be some added protections. The same issue with Nico video player, you can load any JS script from the ext.nicovideo.jp domain. While this still is very restricted, it's important to remember that if Vimeo or Nico change something on their website, those stuff might be used to exploit stuff here.
Title: Re: Unsecure bb code video blocks
Post by: Sorunome on July 29, 2013, 07:11:20 am
Are those tags at all used? Because IMO they could be removed if not.....
Title: Re: Unsecure bb code video blocks
Post by: DJ Omnimaga on July 29, 2013, 01:24:06 pm
Wow I totally forgot that those tags existed. I believe I added them via custom BBCode, as well as the wikipedia ones. Since they are hardly ever used I guess they could be removed. However, it might be worth it to check if the Wikipedia/etc tags have the same problem as well, because if that's the case, then it's the entire custom BBCode mod that is at fault and it should be reported to its author on SMF.
Title: Re: Unsecure bb code video blocks
Post by: Scipi on July 29, 2013, 04:59:54 pm
/me just thought of an evil, EVIL idea, that he'll never do.

Imagine if someone realized that, and trolled the entire forum by putting that in their signature. (Under a spoiler, to make it difficult to see where the Rick Roll is coming from.
Title: Re: Unsecure bb code video blocks
Post by: TIfanx1999 on July 29, 2013, 05:02:21 pm
*cough* We already thought of that. :P But yea. NO ONE DO THAT.
Title: Re: Unsecure bb code video blocks
Post by: Sorunome on July 29, 2013, 05:45:29 pm
so THAT is why spoilers aren't allowed anymore in sigs XD
Also, I laready thought of that
Title: Re: Unsecure bb code video blocks
Post by: Darl181 on July 29, 2013, 06:15:46 pm
Believe it or not, it's already been done, except invisible :P (a certain retired admin who had a knack for embedding stuff)

Anyway, hope there's a fix for this :/ at least it can't just load code from anywhere.

Title: Re: Re: Re: Unsecure bb code video blocks
Post by: DJ Omnimaga on July 29, 2013, 07:29:32 pm
Believe it or not, it's already been done, except invisible :P (a certain retired admin who had a knack for embedding stuff)

Anyway, hope there's a fix for this :/ at least it can't just load code from anywhere.
Two admins actually :P

Also it used HTML bbcode, not an exploit (admins can put HTML inside posts)
Title: Re: Unsecure bb code video blocks
Post by: Sorunome on July 29, 2013, 07:30:24 pm
Can they still do that? O.O i thought it was disabled by now
Title: Re: Unsecure bb code video blocks
Post by: DJ Omnimaga on July 29, 2013, 07:56:21 pm
I doubt it was disabled, since no admin ever abused it dangerously. The farthest it ever went was the embedded rickrolls by me and ztrumpet, that one redirect by me (fake intro topic) and other than that it has actually been pretty useful. For example, in the tutorials section, older tutorials were made so that if the author edits his forum topic, it automatically updates the tutorial too, or other things such as that one tutorial Eeems made once with pretty colors.

Plus, even if HTML ever got disabled, admins could just add it via the database anyway :P
Title: Re: Unsecure bb code video blocks
Post by: Juju on July 29, 2013, 08:39:07 pm
Yeah, I think I was the one who added the vimeo and Niconico tags, you had to do something like http://player.vimeo.com/video/<videoid> where <videoid> is whatever inside the tag. I doubt there will be any security issue by adding the extra options (as Vimeo or whatever will make sure there isn't any security issue in their own player), and you won't be able to hide the player by setting the width/height to 0. Plus I bet it would be kinda a PITA to write something that removes those options.

So I would say to leave this as it is now as nothing harmful would happen other than scaring someone with an autoplay (thing at least 2-3 (former) admins already did).
Title: Re: Unsecure bb code video blocks
Post by: DJ Omnimaga on July 29, 2013, 08:40:32 pm
Actually I might have added them. I know I added the [Netham45] bbcode, along with Wikipedia, TI-BD and stuff, but I'm unsure anymore about the rest. I might have enabled one video site, though.

EDIT Here's the article: http://ourl.ca/11543 (a month before I quit my admin position entirely). I added Nico, but you added Vimeo it seems.
Title: Re: Unsecure bb code video blocks
Post by: Deep Toaster on August 06, 2013, 12:59:58 am
Can they still do that? O.O i thought it was disabled by now
Admins can. I don't think there's a problem with that, seeing as how the same people could just delete most of Omnimaga if they wanted >.>

I think if a lot of these BBCodes aren't getting used, we don't really have a reason to keep them around. They can make post submission slower and clutter the post editor with extra buttons.
Title: Re: Unsecure bb code video blocks
Post by: Sorunome on August 06, 2013, 05:11:01 am
[...] and clutter the post editor with extra buttons.
There is already a bunch of bb-code tags which don't appear as buttons in the editor....
Title: Re: Unsecure bb code video blocks
Post by: Eiyeron on August 06, 2013, 10:21:06 am
[...] and clutter the post editor with extra buttons.
There is already a bunch of bb-code tags which don't appear as buttons in the editor....

Which? [theGame]YOu lost it?[/theGame]
Title: Re: Unsecure bb code video blocks
Post by: Sorunome on August 06, 2013, 11:58:00 am
[...] and clutter the post editor with extra buttons.
There is already a bunch of bb-code tags which don't appear as buttons in the editor....

Which? [theGame]YOu lost it?[/theGame]
[netham45]
Title: Re: Unsecure bb code video blocks
Post by: TIfanx1999 on August 06, 2013, 12:28:03 pm
Can they still do that? O.O i thought it was disabled by now
Admins can. I don't think there's a problem with that, seeing as how the same people could just delete most of Omnimaga if they wanted >.>

I think if a lot of these BBCodes aren't getting used, we don't really have a reason to keep them around. They can make post submission slower and clutter the post editor with extra buttons.

This is true. There are probably some that we could get rid of.
Title: Re: Unsecure bb code video blocks
Post by: DJ Omnimaga on August 06, 2013, 02:03:24 pm
I think that some official tags don't necessarily have buttons either, but since barely anyone ever used the Vimeo and Niconico tags, I bet they could be removed if they ever cause issues. Most people use Youtube anyway.

I wonder how secure is the [Netham45] tag, since it doesn't need to be closed? :P
Title: Re: Unsecure bb code video blocks
Post by: Eiyeron on August 06, 2013, 02:04:28 pm
[Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45]I don't see nothing broken
Title: Re: Unsecure bb code video blocks
Post by: Deep Toaster on August 07, 2013, 05:03:59 pm
The XKCD one in particular doesn't seem to have much of a point since all it does is create a link to an XKCD comic, and it's not much harder (actually slightly less work IMHO) to just use [url=http://xkcd/][/url].