[geeklog-devel] Forums hack

Blaine Lang geeklog at langfamily.ca
Mon May 21 23:05:04 EDT 2007


I've corrected the database for the offending post - the user had 
entered a <meta refresh tag as his name but since there is a field size 
limit the URL as Joe noted was not correct. The script does pass the 
post var thru COM_checkHTML but looks like this tag was allowed thru.

I've banned the IP and moved the post out of the public forums but there 
is nothing else much in the content other then the posting IP of interest.
I will do some more testing with what he used as his name.

Thanks Joe.

Blaine

Joe Mucchiello wrote:
> There's an annoying forum hack plaguing www.geeklog.net. I'm posting 
> here, rather than directly to Dirk, so Blaine finds out too.
>
> Apparently no filtering is being done on the anonymous author. Someone 
> figured this out and put a meta-equiv command as their name to 
> refresh. Of course the whole refresh didn't fit in the database so you 
> just get an error. But every occurrence of that "name" reloads the bad 
> url. This includes the "last ten posts" on the home page and on the 
> forum page, whatever forum contains the bad name causes the list of 
> forums to reset. Here's the offending line. Thankfully the refresh was 
> set to "1;".
>
> <a class="tooltip" style="text-decoration:none;" 
> href="http://www.geeklog.net/forum/viewtopic.php?showtopic=76496"><span 
> style="left:50px;"><br>Started by:,<meta http-equiv="refresh" 
> content="1; URL=www.gre,05/21/07 18:49 PM<br>Views:7, 
> Replies:0<br></span></a>
>
> Dirk, you might want to update the aname field on the topic before 
> deleting the record. See if there's anything else interesting about 
> whomever posted this.
>
> ----
> Joe Mucchiello
> Throwing Dice Games
> http://www.throwingdice.com
> _______________________________________________
> geeklog-devel mailing list
> geeklog-devel at lists.geeklog.net
> http://eight.pairlist.net/mailman/listinfo/geeklog-devel
>
>



More information about the geeklog-devel mailing list