Beta 8 HTML Attack

Hello

Adding a New HTML BLOCK is Nat Working When u rename the Block

and u add the code on the HTML-content:

than when u click save i get this on the block

Possible Attack!!! All Data has Been Collected And Sent To The Site owner For Analysis

and i check my email and i get this

------------------------------------------------------------------------------------------------------------------------------------------

Total impact: 186
Affected tags: xss, csrf, id, rfe, lfi, sqli

Variable: REQUEST.Content | Value: <script type=\"text/javascript\">
var AdBrite_Title_Color = \'0000FF\';
var AdBrite_Text_Color = \'000000\';
var AdBrite_Background_Color = \'99C9FF\';
var AdBrite_Border_Color = \'333333\';
var AdBrite_URL_Color = \'008000\';
try{var AdBrite_Iframe=window.top!=window.self?2:1;var AdBrite_Referrer=document.referrer==\'\'?document.location:document.referrer;AdBrite_Referrer=encodeURIComponent(AdBrite_Referrer);}catch(e){var AdBrite_Iframe=\'\';var AdBrite_Referrer=\'\';}
</script>
<span style=\"white-space:nowrap;\"><script type=\"text/javascript\">document.write(String.fromCharCode(60,83,67,82,73,80,84));document.write(\' src=\"http://ads.adbrite.com/mb/text_group.php?sid=1395346&zs=3732385f3930&ifr=\'+AdBrite_Iframe+\'&ref=\'+AdBrite_Referrer+\'\" type=\"text/javascript\">\');document.write(String.fromCharCode(60,47,83,67,82,73,80,84,62));</script>
Impact: 93 | Tags: xss, csrf, id, rfe, lfi, sqli
Description: finds html breaking injections including whitespace attacks | Tags: xss, csrf | ID: 1
Description: finds attribute breaking injections including whitespace attacks | Tags: xss, csrf | ID: 2
Description: finds malicious attribute injection attempts | Tags: xss, csrf | ID: 69
Description: Detects url-, name-, JSON, and referrer-contained payload attacks | Tags: xss, csrf | ID: 4
Description: Detects JavaScript with(), ternary operators and XML predicate attacks | Tags: xss, csrf | ID: 7
Description: Detects self-executing JavaScript functions | Tags: xss, csrf | ID: 8
Description: Detects possible includes and typical script methods | Tags: xss, csrf, id, rfe | ID: 16
Description: Detects JavaScript object properties and methods | Tags: xss, csrf, id, rfe | ID: 17
Description: Detects JavaScript string properties and methods | Tags: xss, csrf, id, rfe | ID: 19
Description: Detects JavaScript language constructs | Tags: xss, csrf, id, rfe | ID: 20
Description: Detects very basic XSS probings | Tags: xss, csrf, id, rfe | ID: 21
Description: Detects JavaScript location/document property access and window access obfuscation | Tags: xss, csrf | ID: 23
Description: Detects common XSS concatenation patterns 2/2 | Tags: xss, csrf, id, rfe | ID: 31
Description: Detects obfuscated script tags and XML wrapped HTML | Tags: xss | ID: 33
Description: Detects possibly malicious html elements including some attributes | Tags: xss, csrf, id, rfe, lfi | ID: 38
Description: Detects classic SQL injection probings 2/2 | Tags: sqli, id, lfi | ID: 43
Description: Detects basic SQL authentication bypass attempts 1/3 | Tags: sqli, id, lfi | ID: 44
Description: Detects basic SQL authentication bypass attempts 2/3 | Tags: sqli, id, lfi | ID: 45
Description: Detects unknown attack vectors based on PHPIDS Centrifuge detection | Tags: xss, csrf, id, rfe, lfi | ID: 67

Variable: POST.Content | Value: <script type=\"text/javascript\">
var AdBrite_Title_Color = \'0000FF\';
var AdBrite_Text_Color = \'000000\';
var AdBrite_Background_Color = \'99C9FF\';
var AdBrite_Border_Color = \'333333\';
var AdBrite_URL_Color = \'008000\';
try{var AdBrite_Iframe=window.top!=window.self?2:1;var AdBrite_Referrer=document.referrer==\'\'?document.location:document.referrer;AdBrite_Referrer=encodeURIComponent(AdBrite_Referrer);}catch(e){var AdBrite_Iframe=\'\';var AdBrite_Referrer=\'\';}
</script>
<span style=\"white-space:nowrap;\"><script type=\"text/javascript\">document.write(String.fromCharCode(60,83,67,82,73,80,84));document.write(\' src=\"http://ads.adbrite.com/mb/text_group.php?sid=1395346&zs=3732385f3930&ifr=\'+AdBrite_Iframe+\'&ref=\'+AdBrite_Referrer+\'\" type=\"text/javascript\">\');document.write(String.fromCharCode(60,47,83,67,82,73,80,84,62));</script>
Impact: 93 | Tags: xss, csrf, id, rfe, lfi, sqli
Description: finds html breaking injections including whitespace attacks | Tags: xss, csrf | ID: 1
Description: finds attribute breaking injections including whitespace attacks | Tags: xss, csrf | ID: 2
Description: finds malicious attribute injection attempts | Tags: xss, csrf | ID: 69
Description: Detects url-, name-, JSON, and referrer-contained payload attacks | Tags: xss, csrf | ID: 4
Description: Detects JavaScript with(), ternary operators and XML predicate attacks | Tags: xss, csrf | ID: 7
Description: Detects self-executing JavaScript functions | Tags: xss, csrf | ID: 8
Description: Detects possible includes and typical script methods | Tags: xss, csrf, id, rfe | ID: 16
Description: Detects JavaScript object properties and methods | Tags: xss, csrf, id, rfe | ID: 17
Description: Detects JavaScript string properties and methods | Tags: xss, csrf, id, rfe | ID: 19
Description: Detects JavaScript language constructs | Tags: xss, csrf, id, rfe | ID: 20
Description: Detects very basic XSS probings | Tags: xss, csrf, id, rfe | ID: 21
Description: Detects JavaScript location/document property access and window access obfuscation | Tags: xss, csrf | ID: 23
Description: Detects common XSS concatenation patterns 2/2 | Tags: xss, csrf, id, rfe | ID: 31
Description: Detects obfuscated script tags and XML wrapped HTML | Tags: xss | ID: 33
Description: Detects possibly malicious html elements including some attributes | Tags: xss, csrf, id, rfe, lfi | ID: 38
Description: Detects classic SQL injection probings 2/2 | Tags: sqli, id, lfi | ID: 43
Description: Detects basic SQL authentication bypass attempts 1/3 | Tags: sqli, id, lfi | ID: 44
Description: Detects basic SQL authentication bypass attempts 2/3 | Tags: sqli, id, lfi | ID: 45
Description: Detects unknown attack vectors based on PHPIDS Centrifuge detection | Tags: xss, csrf, id, rfe, lfi | ID: 67
Centrifuge detection data  Threshold: ---  Ratio: ---  Converted: ((((+++::

REMOTE_ADDR: 98.242.142.242
HTTP_X_FORWARDED_FOR: 
HTTP_CLIENT_IP: 

It might be helpful if you posted the html code you are trying to place in a block.

It won't accept any html..

Even simple images are rejected as an attack.

<img src="http://www.*******.com/images/join-local-christmas.png" /><p>
</p>

Yep She is right

It won't accept any html code on the block i get this attack with any html code

the one i'm using is for my ad

I have the exact same issue, I had thought earlier it was something to do with my license code and then I realized it happened when I inserted my header.swf file.  It seems once this message appears you are locked out of the admin panel also.  If you find a solution to this I would be most interested, it seems the security settings on the script are much higher with this beta version.

It seems the security settings are way to restrictive.  The only way I could get my site back up agin on this beta was to comment out require_once(BX_DIRECTORY_PATH_INC . "security.inc.php"); in the header.inc.php file - of course this isn't really the solution as it bypasses whatever else security measures are in place, however I got sick and tired of getting locked out and seeing Possible Attack!!! after every slight change I made to my site.

Wow ..... and they think this is ready for the RC stage?   I don't think so.  Every beta so far, introduces NEW bugs.  This must be part of that security audit. 

As far as the admin posting html code in a block, I don't think admin posts should be subjected to the same scrutiny as members posting html code in forums or blogs.  Admins should be able to post whatever html they damn well please.

This is no good people waiting and waiting to see better fix and each beta have more and more bugs and problems

i'm getting very sick of boonex i'm realy going to try another social network boonex is wasting my time

Beta + Bugs = More Betas + More Bugs = Betas + More Bugs + Betas = Wasting Time For The WebSite Owner

I DONT GET IT Why They Keep Making Beta i will be Better is u can update the Dolphin 7 ( Hokies ) Betas

i switch my forum Vbulletin for boonex and i'm very disappointed when they tell me about boonex

It appears that boonex has created a script so secure that we can't even get into it... LOL

I guess this signals it's about time to hop deep finally into the D7 arena and start bringing it around for what we need it for.  Perhaps we can figure out how to code into it a way allow Admin to do what Admin wants to do.  More than likely though it's coming about as an Apache Server config'd for suPHP utilizes user "Nobody" for writing changes that we make to the script.  Unfortunately, this also means it doesn't yet recognize the difference between Admin, End User & a non-member (cracker) trying to come in.

Problems that this is going to cause will be in any area that is supposed to be customizable such as Profiles for example.  But moving from there, a lot of us will be upgrading other areas such as Blogs, Articles, Store, Sites and so on.  If this thing is going to trip and start locking people out every time we breathe at it then it's a useless security feature as it's only going to piss off the end users also.

Off to look at this code in-depth and see what we can find out about how it's configured and sorting things out.

Has anyone tried clearing the cache via FTP or cPanel when they get locked out to see if they can get back into the Admin Panel?  Also, is this a timed lock out or an all out lock out that never ends?

That's a good idea, I hadn't thought of clearing the cache.  Ultimately the only way I could get into my site again was through commenting out the security file in header.inc.php.  I did this several hours after I first got locked out so I don't think it's a timing thing.  If you figure out the security file and why it is so 'sensitive' I would be interested in hearing your findings.

Ticket # 1384

http://www.boonex.com/trac/dolphin/ticket/1384

Thank's For Open This Ticket : houstonlively

Yahooo I have made fix for this bug! its works for me...i hope its work for u as well

download this file and replace it with: /DOLPHIN DIRECTORY/inc/security.inc.php

http://www.mediafire.com/?hciyinnjn20

Hi,

Please see your post (I've added some infos for you) here:

http://www.boonex.com/unity/forums/forum/Dolphin-Betas-And-RCs-0.htm#topic/Possible-Attack-.htm