ok so a while back I found an exploit with quote boxes on a different forum (Brohoof.com), running the same forum software as this one (IP.Board). I used 'f12 developer tools' to grab the html source code of the webpage, pasted it into a quote box, and rather than displaying the code, it made a mini version of the webpage inside the quote box. I have only ever managed to make it work once. any advice on how to reproduce this, or a safer non-exploit method of getting code to do stuff in a forum post?
Some forums enable HTML embedding in posts, all you did was embed the webpage onto the webpage in a post.
There is no exploit here and there is nothing out of the ordinary.
You don't need to use developer tools to grab source either, just rightclick > view source.
well it is an exploit, since it only worked once, at a certain time. I have never made it work again. also, right click > view source just brings up exactly what I can get thru developer tools, plus its not always stable on this pc :/
edit: also I believe that most of the features of the webpage were broken in this 'embedded' version, the only fully working part was the image at the top that moves downwards when you hover over it.
well it is an exploit, since it only worked once, at a certain time. I have never made it work again. also, right click > view source just brings up exactly what I can get thru developer tools, plus its not always stable on this pc :/
edit: also I believe that most of the features of the webpage were broken in this 'embedded' version, the only fully working part was the image at the top that moves downwards when you hover over it.
If you can't do anything useful or dangerous with it, it's not really an exploit.
well it is an exploit, since it only worked once, at a certain time. I have never made it work again. also, right click > view source just brings up exactly what I can get thru developer tools, plus its not always stable on this pc :/
edit: also I believe that most of the features of the webpage were broken in this 'embedded' version, the only fully working part was the image at the top that moves downwards when you hover over it.
It is not an exploit.
Just because it worked once "at a certain time" means nothing. Literally nothing.
Whats not always stable? Rightclick > view source literally just views the code of the webpage being displayed, there is nothing fancy at work here, it is basically just un-rendering the web page into plain text.
Yes, of course everything was broken, you embedded a copy/pasted version of the page into the page itself, so things would be linking to subdirs of a subdir and not linking properly.
Again, this is not an exploit, not even close or remotely of the sort.
Just like if I copy/paste your post right here, it is not an exploit (if MCF had HTML embedding enabled, it would be an exact copy of your post).
I was even able to rep your post from the copy/paste below, because it is just a website link, there is no exploitation going on here.
Some forums enable HTML embedding in posts, all you did was embed the webpage onto the webpage in a post.
There is no exploit here and there is nothing out of the ordinary.
You don't need to use developer tools to grab source either, just rightclick > view source.well it is an exploit, since it only worked once, at a certain time. I have never made it work again. also, right click > view source just brings up exactly what I can get thru developer tools, plus its not always stable on this pc :/
edit: also I believe that most of the features of the webpage were broken in this 'embedded' version, the only fully working part was the image at the top that moves downwards when you hover over it.
0
casahasa0603, on 12 May 2013, said:
Why watch MLP? You can watch just one episode and instantly fall in love with it. I bet "haters" are just afraid to admit that they actually like the show. Go watch the show! And if you like it.. well.. WELCOME TO THE HERD!
ok let me just get this straight, by exploit, I simply meant a vulnerability which could be used to embed content which could possibly be annoying or dangerous to other users. so any idea if there is a way to embed code such as the following into an ordinary forum post?
ok let me just get this straight, by exploit, I simply meant a vulnerability which could be used to embed content which could possibly be annoying or dangerous to other users. so any idea if there is a way to embed code such as the following into an ordinary forum post?
1. that is javascript, which is exactly what worked in the first place
2. so it is an exploit?
3. I have no idea what cartoon your avatar pic is from but holy shoot its creepy without a nose...
1. that is javascript, which is exactly what worked in the first place
You should not be able to embed javascript into posts either but seeing how it's only happen once to you it really doesn't matter. We also don't know if that forum is running the same version of IPB as us, this version is also modified.
If you do have concerns, get in touch with IPS.
2. so it is an exploit?
I fail to see how you could gain anything from this, it does not allow you to bypass permissions or spam etc so it is not a vulnerability and you cannot exploit it.
3. I have no idea what cartoon your avatar pic is from but holy shoot its creepy without a nose...
Don't all of the ponies in MLP have no nose either?
1. that is javascript, which is exactly what worked in the first place
2. so it is an exploit?
Though this should surprise nobody, the exploit and vulnerability was explicitly ENABLED on the other forum. You have to explicitly enable HTML in posts and/or signatures through Ip.Board. I'm unimpressed but not surprised that such a feature would allow <script> tags to execute, but I suppose that is why it's disabled by default.Basically it's a checkbox with a bunch of warnings about how it will enable XSS and stuff and some moron decided "What could possibly go wrong" and enabled it.
You should not be able to embed javascript into posts either but seeing how it's only happen once to you it really doesn't matter. We also don't know if that forum is running the same version of IPB as us, this version is also modified.
If you do have concerns, get in touch with IPS.
I fail to see how you could gain anything from this, it does not allow you to bypass permissions or spam etc so it is not a vulnerability and you cannot exploit it.
Don't all of the ponies in MLP have no nose either?
1. 'should not be able to embed javascript' so it is something unintended.
2. javascript can do quite a lot.
3. they do have snouts (noses). don't wanna post pictures so if ur rly interested (99.9% sure ur not) just google it
Some forums enable HTML embedding in posts, all you did was embed the webpage onto the webpage in a post.
There is no exploit here and there is nothing out of the ordinary.
You don't need to use developer tools to grab source either, just rightclick > view source.
edit: also I believe that most of the features of the webpage were broken in this 'embedded' version, the only fully working part was the image at the top that moves downwards when you hover over it.
If you can't do anything useful or dangerous with it, it's not really an exploit.
Just because it worked once "at a certain time" means nothing. Literally nothing.
Whats not always stable? Rightclick > view source literally just views the code of the webpage being displayed, there is nothing fancy at work here, it is basically just un-rendering the web page into plain text.
Yes, of course everything was broken, you embedded a copy/pasted version of the page into the page itself, so things would be linking to subdirs of a subdir and not linking properly.
Again, this is not an exploit, not even close or remotely of the sort.
Just like if I copy/paste your post right here, it is not an exploit (if MCF had HTML embedding enabled, it would be an exact copy of your post).
I was even able to rep your post from the copy/paste below, because it is just a website link, there is no exploitation going on here.
#4
Coal Miner
Techy4198
- Members
- 127 posts
fm87, on 22 July 2013 - 07:31 PM, said:
That is not exactly an exploit.
Some forums enable HTML embedding in posts, all you did was embed the webpage onto the webpage in a post.
There is no exploit here and there is nothing out of the ordinary.
You don't need to use developer tools to grab source either, just rightclick > view source.well it is an exploit, since it only worked once, at a certain time. I have never made it work again. also, right click > view source just brings up exactly what I can get thru developer tools, plus its not always stable on this pc :/
edit: also I believe that most of the features of the webpage were broken in this 'embedded' version, the only fully working part was the image at the top that moves downwards when you hover over it.
casahasa0603, on 12 May 2013, said:
Why watch MLP? You can watch just one episode and instantly fall in love with it. I bet "haters" are just afraid to admit that they actually like the show. Go watch the show! And if you like it.. well.. WELCOME TO THE HERD!
No you cannot embed HTML into posts.
(P.S you exploit vulnerabilities)
2. so it is an exploit?
3. I have no idea what cartoon your avatar pic is from but holy shoot its creepy without a nose...
You should not be able to embed javascript into posts either but seeing how it's only happen once to you it really doesn't matter. We also don't know if that forum is running the same version of IPB as us, this version is also modified.
If you do have concerns, get in touch with IPS.
I fail to see how you could gain anything from this, it does not allow you to bypass permissions or spam etc so it is not a vulnerability and you cannot exploit it.
Don't all of the ponies in MLP have no nose either?
Though this should surprise nobody, the exploit and vulnerability was explicitly ENABLED on the other forum. You have to explicitly enable HTML in posts and/or signatures through Ip.Board. I'm unimpressed but not surprised that such a feature would allow <script> tags to execute, but I suppose that is why it's disabled by default.Basically it's a checkbox with a bunch of warnings about how it will enable XSS and stuff and some moron decided "What could possibly go wrong" and enabled it.
1. 'should not be able to embed javascript' so it is something unintended.
2. javascript can do quite a lot.
3. they do have snouts (noses). don't wanna post pictures so if ur rly interested (99.9% sure ur not) just google it
The owners of the board can enable/disable it, and IPB has many versions, so old versions might allow it and new ones might not.
You are assuming there is an exploit without taking all the variables into consideration.
So? So can HTML and CSS.