I propose a new forum be created in the "Other" category, with permissions set
to allow HTML in posts using a [dohtml][/dohtml] tag.
Reasoning:
We're all here to have fun by now, and HTML/CSS abuse is a treasured MFGG heritage that was sadly disabled at some long-forgotten point along the road. This is an example of MFGG's desire to portray themselves as sleek and professional, at the expense of the users' enjoyment.
CSS3, which has been finalized and gained universal browser support in the years since HTML abuse was banned, allows for things like drop shadows, text shadows, rotation, skewing, 3D transforms, and even filters like blurring, saturation, etc. Imagine the possibilities!
As the functionality will be limited to one forum, it won't detract from any existing threads.
You guys randomly added like five boards out of nowhere awhile back, which proves to me that the administration has lightened up in terms of humor.
Hard mode:
Enable javascript too. This is a really shitty idea but it would be hilarious.
With a grand total of four (4) votes, this is the largest voter turnout in
recent Winus Morld history. With the resounding success of this motion now
confirmed, I propose we move on to the next topic of discussion: What should
the HTML abuse forum be named?
The session cookies are marked HTTPOnly, which means client-side scripts (JavaScript) can't read them, so you should be safe from people hijacking your session, but
The session can easily be read from the logout link instead. You know how people would sneak in logout links everywhere? A measure was taken against that so logout links only work if they have the session ID attached to them. Normally no one will know what your session ID is (so its a good measure against arbitrary logout links), but allowing arbitrary JavaScript allows your session to be read by any member who can post JS, since the logout link appears on every single page.
HOWEVER phpBB does something to come up with a cookie name that you can't reasonably guess. I'm not sure how its generated yet but you might be able to deduce it with some research in phpBB internals though.*
even if it turns out using someone's session is impossible, it should still be possible to post as them using xhr requests to grab a csrf token and then make a post request in the correct spot. more work than stealing a session and you'd have to code what you'd want to post in advance but could be dangerous enough
*actually looks like this is generated on install? so everyone should have the same cookie names, which means it should be easy to steal a session
yeah if there's any potential for abuse at all it's probably a good idea to
not touch this suggestion. might seem paranoid but looking at what mfgg
members have done in the past when more was on the line than whatever they may
have going on mw, yeah
for the most part I don't think there's anything someone could do that
couldn't easily be undone, and it should be pretty easy to see who posted
JavaScript and deduce the source of whatever.
If your session is hijacked I believe it'll be invalidated if you click the
logout link. No one can change your password or update your email (for
password recovery) without your current password, so accounts couldn't be
completely stolen.
I guess it would be easy enough to do some sort of phishing to grab
someone's password though. This would require the would-be hijacked to enter
their password into some abnormal place, which may or may not be pretty
obvious that its not a real login page.
Do admins need to log in again in order to access the admin cp? If not, it may
be possible to get into the acp with a hijacked session.
If you're browsing under HTTPS, your browser refuse to interact with non-HTTPS
content. This means it would be harder to steal your session because HTTPS is
kind of non-trivial to setup at the moment. (though maybe you could make the
script PM you a stolen session ID using the forum software lol)
anyway here's what you could do with a stolen session and/or overly-
complicated xhr requests: anything you can normally do when logged in aside
from what's mentioned above.
What could be sensitive? I guess the most sensitive thing for the average
member would be PMs, which I've told you all before was a bad idea. Moderator
controls could be accessed too I suppose. Aside from that your board settings,
which probably don't matter too much but it'd be annoying if someone changed
those around. I guess the foes list which isn't really sensitive info aside
from the fact its against the rules to share it.
so not so much a good idea to allow JavaScript. Not too much fancy stuff you
could do with CSS/HTML alone but I guess that could be used for phishing. so
also bad?
idk this post is a mess, just thoughts of what could be done. figure it'd be a
good idea to lay on the table what's possible before we do anything.
Just to clarify: if we restrict this to HTML and CSS, then literally the worst
thing that could happen is somebody disguises a link to malware. Stick a
disclaimer in the board description and your hands are clean. With HTML and
CSS there is absolutely no risk of getting into someone else's account; if I'm
somehow mistaken, then that's astronomically, laughably insecure and we need
to abandon this forum software as if it were a dying star.
The JS suggestion was a joke. Please don't do that oh god
EDIT: What if you created a style declaration to override styles applied to
links? Something like:
With HTML/CSS only you'd have the following concerns:
As mentioned before, phishing. One could create a page identical to the login form and put it on top of a thread. It'd be pretty obvious it wasn't real so I guess it'd be pretty funny if someone filled it out. But still. This becomes a bit more legitimate-looking if the board is open to non-registered users, since someone who is logged out could click on this thread and think they need to log in to see it I guess. A sophisticated enough phishing page could attempt to login with the credentials to confirm if they're real or not too.
You really need to make sure that JavaScript can't be posted. Beyond just the script tags, you have to block the onclick="", onhover="", etc attributes from HTML tags, the href="javascript:whatever;" links, base64 data uris, and maybe some other stuff I don't know about.
CSS was once allowed in signatures at MFGG. Someone created a thing to modify their own poster info with it, and people though it was cool. Then people abused it by changing around other people's info. If people are still sensitive to changes to other people's info being messed with, it might be a good idea to have strict rules against that.
First of all, this should only be open to registered users for sure. And if
it's not already, registration should require approval. We receive so few new
members that I don't think anyone will really have a problem with this. Out of
the ~10 active members here, I doubt anyone would make a serious phishing
attempt.
As for Javascript, it doesn't seem unfeasible to block it all out. Maybe it
would even be easier to create a curated list of allowed HTML elements,
disallowing all attributes apart from "class". I actually think
and
and probably would be enough, though I'm assuming bbCode is still
parsed within the [dohtml] tag.
Point 3 isn't really an issue, since you'd have to post within this board for
anyone's code to affect your posts. And even then, people could only affect
posts within that board on an individual page basis, so it doesn't really
seem like a big deal.
yeah i think whitelisting is a pretty common way of making pages work with
'safe' html only.
doHTML was an IPB thing. I don't think newer (ones younger than 12 years old)
offer it at all, and phpBB doesn't have anything like it. phpBB by default
locks down the ability to post HTML for good reason as far as I know.
Apparently phpBB2 allowed you to allow a limited subset of
HTML but 3 removed
this functionality entirely.
So we'd have to find a modification that brings that functionality in, or
build it custom (which won't happen, and even if it were plausible it wouldn't
really be worth the time to make it for phpbb lol). Hopefully if someone spent
the time to make a modification they'd put in all the necessary security
precautions. The only thing close to what we want that I found with a quick
Google search is allowing unrestricted HTML in posts and
signatures, which is almost 7 years
since the last update and in addition to being obviously dangerous it probably
won't even work... but then again the copyright in our footer only goes up to
2007 so who knows lol. actually this makes me wonder if there's any known
phpbb exploits that could work on the forum as-is
and either way the rules and warnings should be something to discuss before
launching the board, since not everything to do with this is strictly a
technical issue
according to the
changelog we're on
at least version 3.0.7-PL1. apparently this file doesn't necessarily update
when the software's updated so there could be more updates since Mar 5, 2010
when 3.0.7-PL1 was released. So we're probably on a phpBB 3.0.x version,
where x >= 7-PL1, which was
last updated in May 2015. Anyway
typically the last number doesn't break modifications so that one could
probably work. but yeah it would definitely need some changes to suit us
the only CVE that might affect us is this
one, which is the only one out
there for a version of phpBB higher than 3.0.7, but there may be other
vulnerabilities out there that aren't in the CVE database
which provided it doesn't impact performance, does a lot of excellent stuff to
make HTML safe for posts. Read about it on its comparison
page- which is definitely the author
selling up their code but it looks so good that it may even be safe enough to
allow HTML board-wide. (we could still have a specific board or thread for
doing wacky/creative stuff with it though of course)
So how do we start to get the ball rolling on this?
i'm still weighing the pros and cons in my head myself plus i'd like to get
elyk's input on the idea as well, if that kesha getting some technical access
suggestion ends up being a thing that would also be a part of implementing
this since he seems to have a lot better of an idea of how to not make this a
horrible exploit pit
Fri Jan 15, 2016 06:31 PM Create an HTML abuse forum by Spritey:
Fri Jan 15, 2016 07:57 PM Re: Create an HTML abuse forum by Yrr:
Fri Jan 15, 2016 08:45 PM Re: Create an HTML abuse forum by Draku:
Fri Jan 15, 2016 09:25 PM Re: Create an HTML abuse forum by World'sTallestLadder:
Fri Jan 15, 2016 09:27 PM Re: Create an HTML abuse forum by Bitteh:
Fri Jan 15, 2016 09:27 PM Re: Create an HTML abuse forum by Draku:
Fri Jan 15, 2016 09:34 PM Re: Create an HTML abuse forum by World'sTallestLadder:
Fri Jan 15, 2016 09:37 PM Re: Create an HTML abuse forum by Bitteh:
Fri Jan 15, 2016 09:38 PM Re: Create an HTML abuse forum by Draku:
Fri Jan 15, 2016 09:38 PM Re: Create an HTML abuse forum by World'sTallestLadder:
Sat Jan 16, 2016 07:43 PM Re: Create an HTML abuse forum by Spritey:
Sat Jan 16, 2016 07:59 PM Re: Create an HTML abuse forum by World'sTallestLadder:
Sat Jan 16, 2016 10:57 PM Re: Create an HTML abuse forum by Oracular:
Sun Jan 17, 2016 12:19 AM Re: Create an HTML abuse forum by JoshJDubya:
Sun Jan 17, 2016 01:04 AM Re: Create an HTML abuse forum by World'sTallestLadder:
Sun Jan 17, 2016 01:13 AM Re: Create an HTML abuse forum by Draku:
Sun Jan 17, 2016 01:40 AM Re: Create an HTML abuse forum by World'sTallestLadder:
Sun Jan 17, 2016 01:42 AM Re: Create an HTML abuse forum by McPhresh:
Sun Jan 17, 2016 09:52 AM Re: Create an HTML abuse forum by Spritey:
Sun Jan 17, 2016 12:46 PM Re: Create an HTML abuse forum by World'sTallestLadder:
Sun Jan 17, 2016 04:56 PM Re: Create an HTML abuse forum by Spritey: