Sciencemadness Discussion Board - iframe content now forced into sandbox


	Not logged in [Login ]

FAQ

Member List

Today's Posts Forum Stats

Stats

Back to:

Sciencemadness Discussion Board » Non-science » Forum Matters » iframe content now forced into sandbox

Printable Version

Polverone

Now celebrating 21 years of madness

Posts: 3186
Registered: 19-5-2002
Location: The Sunny Pacific Northwest
Member Is Offline

Mood: Waiting for spring

posted on 5-3-2016 at 13:08

iframe content now forced into sandbox

I know that it's convenient to embed videos from youtube and other sites in an iframe. It's also a security risk since Manifest never finished the promised work to protect the forum against iframe-enabled credential theft. I have a made a change to force iframed content into a sandbox, which breaks the youtube embedded player. You will have to visit the external youtube site now to play videos.

I incidentally discovered along the way why the superscript bbcode tag -- sup -- was not working. It^should work now, along with the already-working _subscript.

PGP Key and corresponding e-mail address

aga

Forum Drunkard

Posts: 7030
Registered: 25-3-2014
Member Is Offline

posted on 5-3-2016 at 13:51

Great work.

iframes were invented by the devil himself, and deserve to be obliterated.

Rosco Bodine

Banned

Posts: 6370
Registered: 29-9-2004
Member Is Offline

Mood: analytical

posted on 6-3-2016 at 08:06

Who is John Galt? Maybe Jimmy Hoffa redacted.

blogfast25

International Hazard

Posts: 10562
Registered: 3-2-2008
Location: Neverland
Member Is Offline

Mood: No Mood

posted on 6-3-2016 at 09:42

Very nice, indeedy.

Acids and Bases: Brønsted–Lowry Theory (an interactive educational SM thread)

Quantum Mechanics/Wave Mechanics in Chemistry SM Thread

Solvation, solubility limits and solubility products: basic theory with worked examples (SM thread)

Calculus for beginners (SM thread): table of content

'Tie yourself to the mast my friend and the storm will end'

'This time next year Rodney, we'll be millionaires!'

Rosco Bodine

Banned

Posts: 6370
Registered: 29-9-2004
Member Is Offline

Mood: analytical

posted on 6-3-2016 at 11:15

Predictable "progress"

ElizabethGreene

Hazard to Others

Posts: 141
Registered: 15-10-2012
Member Is Offline

Mood: No Mood

posted on 8-3-2016 at 14:50

One workaround for this might be to create the [youtube] tag in phpBB. There are more details here.

https://www.phpbb.com/customise/db/bbcode/youtube/

As I understand it, this blocks the users' ability to create an arbitrary iframe, and still enables them to embed videos.

My Journal has moved to http://clutteredlab.com

Rosco Bodine

Banned

Posts: 6370
Registered: 29-9-2004
Member Is Offline

Mood: analytical

posted on 8-3-2016 at 23:13

The old embed code like this for example may still function, it works but seems like 6 of one and a half dozen of the other

Not really seeing any security alerts so it may be a case of if it aint broke don't fix it.

<object width=640 height=360><param name="movie" value="http://www.youtube.com/v/WmBw87bp-HQ?version=3&autoplay=0&showinfo=1&modestbranding=1&controls=1&theme=dark&vq=hd720&am p;hl=en_US&rel=0"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src="http://www.youtube.com/v/WmBw87bp-HQ?version=3&autoplay=0&showinfo=1&modestbranding=1&controls=1&theme=dark&vq=hd720& hl=en_US&rel=0" type="application/x-shockwave-flash" width=640 height=360 allowscriptaccess="always" allowfullscreen="true"></embed></object>

Edits done to experiment with effect of script changes and simplify the code........several versions seem to work fine.

One time I set the autoplay parameter "true" on one of these embeds but a big bird named Vulture killed the link so I never posted one again .......I'm a quick learner that way.
So it's been too long I'll see if the autoplay still works.
Coincidentally it was another Alkaemy work the first time.

<object width=640 height=360><param name="movie" value="http://www.youtube.com/v/eqcWztXpVa4?version=3&autoplay=1&showinfo=1&modestbranding=1&controls=1&theme=dark&vq=hd720&am p;hl=en_US&rel=0"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src="http://www.youtube.com/v/eqcWztXpVa4?version=3&autoplay=1&showinfo=1&modestbranding=1&controls=1&theme=dark&vq=hd720& hl=en_US&rel=0" type="application/x-shockwave-flash" width=640 height=360 allowscriptaccess="always" allowfullscreen="true"></embed></object>

[Edited on 3/9/2016 by Rosco Bodine]

Rosco Bodine

Banned

Posts: 6370
Registered: 29-9-2004
Member Is Offline

Mood: analytical

posted on 10-3-2016 at 05:26

Quote: Originally posted by aga

Great work.

iframes were invented by the devil himself, and deserve to be obliterated.

Speak of the devil

Or maybe Archangel Echelon Wing Commander .....
shhhh don't tell anyone .....it's a secret

Big Boss

Harmless

Posts: 45
Registered: 17-7-2015
Location: Outer Heaven
Member Is Offline

Mood: No Mood

posted on 11-3-2016 at 13:30

I'm sorry for not doing the work promised, I'm him by the way. I started off with such good intentions and kept putting it off, then forgot about it.
I'm the same way with schoolwork unfortunately, I keep putting it off again and again until deadlines run down.
I suppose one fix would be to force iframes into a sandbox environment, the best probably, there's still a security risk from external links but I don't plan on pulling anything any time soon.
The best fix would be to go around patching each individual CSRF exploit which would take ages, there's a few in the control panel, one in the U2U system etc.

Kept you waiting, huh?

aga

Forum Drunkard

Posts: 7030
Registered: 25-3-2014
Member Is Offline

posted on 11-3-2016 at 14:56

Words are so very easy, which is why there are so many of them, yet so little to be said.

Big Boss

Harmless

Posts: 45
Registered: 17-7-2015
Location: Outer Heaven
Member Is Offline

Mood: No Mood

posted on 11-3-2016 at 15:00

A statement backed by your post history, aga.

Kept you waiting, huh?

aga

Forum Drunkard

Posts: 7030
Registered: 25-3-2014
Member Is Offline

posted on 11-3-2016 at 15:11

Correct, although beer tends to get involved in my case.

Failure to deliver on promised code changes, then vague mentions of vulnerabilities in general areas of the board's php is very weak indeed. Weak.

Detail the code sections please and i'll put in the man-hours to eliminate the vulnerabilities.

Post them here rather than U2U so other programmer members can help.

aga

Forum Drunkard

Posts: 7030
Registered: 25-3-2014
Member Is Offline

posted on 11-3-2016 at 15:14

Just in case you feel like forgetting or redacting the Words.

Quote: Originally posted by Big Boss

there's still a security risk from external links

Quote: Originally posted by Big Boss

The best fix would be to go around patching each individual CSRF exploit which would take ages, there's a few in the control panel, one in the U2U system

Big Boss

Harmless

Posts: 45
Registered: 17-7-2015
Location: Outer Heaven
Member Is Offline

Mood: No Mood

posted on 11-3-2016 at 16:09

I found this exploit on the web, http://www.autosectools.com/advisories/XMB.1.9.11_Cross-site... as well as this https://www.exploit-db.com/exploits/14364/

If I remember right u2u.php?action=send is vulnerable to CSRF but this isn't too bad, you could make users send U2U's. I tested this out with a couple members of the skype group.

and of course there's the one I used to change users emails, memcp.php
You can find XMB 1.9.11 here, http://www.xmbforum2.com/download/XMB-1.9.11.13.zip

I would rather we work together on this than take subtle jabs at each other like a few members have been doing the past months, it really does achieve nothing. Can we agree on that?

[Edited on 12-3-2016 by Big Boss]

Kept you waiting, huh?

Polverone

Now celebrating 21 years of madness

Posts: 3186
Registered: 19-5-2002
Location: The Sunny Pacific Northwest
Member Is Offline

Mood: Waiting for spring

posted on 11-3-2016 at 18:21

The XMB code as used by the forum is here: https://github.com/mattbernst/xmbforum

(Well, actually there are a couple of small modifications that I've not bothered to merge into that repo since nobody was using it. I should do that...)

If Big Boss/Manifest is still willing to make improvements in the form of pull requests I'm still happy to review them and merge them if they pass review. Not every problem needs to be fixed at once. Start with one issue and fix it. This invitation goes for aga too, and anyone else who might want to contribute.

PGP Key and corresponding e-mail address

Rosco Bodine

Banned

Posts: 6370
Registered: 29-9-2004
Member Is Offline

Mood: analytical

posted on 11-3-2016 at 19:25

A script could be used to invoke the old embed code in the place of "sandbox" to break the "iframe" script .....maybe just overwrite the "iframe" script with the old embed code derivative. It would be a translator script.

I am NOT a programmer so I'm not sure it makes sense what I am suggesting may be possible.

aga

Forum Drunkard

Posts: 7030
Registered: 25-3-2014
Member Is Offline

posted on 12-3-2016 at 08:00

Could you post the install directory as well please, or just say if it's the same as the stock 1.9.11 one.

Best start with the exact same schema as you got.

Edit:

It's pretty noisy in this sandbox

[Edited on 12-3-2016 by aga]