html tags not filtered (23, permasaged)

1 Name: anon : 2009-07-08 09:13 ID:eP9LC918 [Del]

hi, we have new vulnerability in wakaba:

if you include html tags in wakaba mark like irc : irc:<some html tegs>, you can include in thread any what you want.

yes its realy working, and users can hacked wakaba.

any ideas how fix?

2 Name: !WAHa.06x36 : 2009-07-08 13:59 ID:Heaven [Del]

Well, that clearly doesn't work, as you demonstrated. If you can figure out what actually triggers it, I can do something about it, but that isn't it.

Also, upgrade to the newest version, it has some fixes that may be related.

3 Name: anon : 2009-07-09 01:46 ID:eP9LC918 [Del]

oh, sry my english bad, but i try answer more correct.
I`m using wakaba 3.0.8.

Problem in any wakaba marks, which applies to url link.
news, irc, http, https, mailto.
User can include code, wich end of code her post.
Its starting as: irc:</blockquote> and some next end-tags of post.
And in this wakaba not filtered it. In result after end-tags, you can include starting-tags for new post - and in results it will be double-post like a 2 or more messages.

I was forced to disable all marks(news, irc, http, https, mailto), because hackers have more fantasy and did all threads in only 1!! omg.

sry for bad english, but i hope you anderstand what i mean.

4 Name: Anonymous : 2009-07-09 03:12 ID:Heaven [Del]

>>3
can you post an example of actual html that's ending up in the posts? i may be able to figure out what's going on from that.

5 Name: anon : 2009-07-09 06:30 ID:eP9LC918 [Del]

oh, look here: http://2-ch.ru/bg/
This directory now actual was hacking.
(in this directory wakaba marks not removed for demonstration hacking)

(Note: Scroll its not hack. Hack it`s all threads in one)

6 Name: !WAHa.06x36 : 2009-07-09 06:36 ID:Heaven [Del]

>>5

No tags have been injected there, it's just that link tag argument has somehow been left unclosed, eating up some of the following markup and breaking the layout. It's not dangerous, just annoying.

I have no idea how exactly that would happen, though. Anybody else have any guesses?

7 Name: anon : 2009-07-09 06:58 ID:eP9LC918 [Del]

>>6
This bug working only if marks like irc:, news:, http:, etc not removed. User(hacker) can did it on any board on wakaba in any time.

Now i can fix this problem only by removing this links-tags from wakautils.pl . But it mean all links in threads will be not active anymore.

8 Name: Anonymous : 2009-07-09 12:24 ID:1KBPHknF [Del]

ok i will try to demonstrate it here
http://󠀠

9 Name: Anonymous : 2009-07-09 12:28 ID:1KBPHknF [Del]

see it's ok here.

10 Post deleted by user.

11 Name: anon : 2009-07-09 14:01 ID:u/I4ZEDC [Del]

>>8
here kareha, she possibly not have this vulnerability,
but on wakaba it work 100%

12 Name: Anonymous : 2009-07-09 15:44 ID:OkXZcFgB [Del]

>>11
maybe it's not related to subj, but it seems like kusaba have this bug, too

13 Post deleted by user.

14 Post deleted by user.

15 Name: Anonymous : 2009-07-11 05:37 ID:7S1BaBAX [Del]

ДВач запилили мне быстро!

16 Name: anon : 2009-07-15 17:42 ID:nvvtOQJw [Del]

I found cause of this bug.
We use full utf8 encoding. include "sen names utf8" in wakaba.pl for correct data in db mysql. (because default connect on server db not utf8)

But in this case - wakaba starting acepting and processing special utf8 symbols. like a: 󠀠, 󠀡, 󠀢, and many others. And they destroy html code in wakaba template. if they will be added in links likes( http://󠀠 ).

i was trying change "use constant MAX_UNICODE => 1114111;" to 65536. But no have efect. Wakaba stil continue acepting this symbols.

Maybe someone know - how to force wakaba to stop processing this symbols?
I wiil be wait any answers. Thank you.

17 Post deleted by user.

18 Post deleted by moderator.

19 Post deleted by moderator.

20 Post deleted by moderator.

21 Post deleted by moderator.

22 Post deleted by moderator.

23 Name: CD Taxa (3) : 2013-01-22 10:21 ID:H9lBpLTj [Del]

CD Taxa(3)

Name: Link:
Leave these fields empty (spam trap):
More options...
Verification: