Find content
Male
Heyo! Me again!
As I've been lurking through the forums I've seen a lot of failed JS/HTML Script tag injections here and there.
I'm not sure if it's just simple config changes, or if some have tried real hard and have gotten around security. I've been reporting them to admins directly as I find them, so they have been deleted.
As well as these items we have had a number of URLs (that have since been removed thankfully) pasted around by "trolls" to phish up IPs of our fair userbase.
These are all things that are very easy to address to help keep everyone safe and the staff/owners safe in case someone was to get rather adventurous.
For starters lets lock down on the forum posts, and comment boxes. IPB has a config that should allow you to make these changes if it's not already done I suggest blocking any and all HTML tag injections into the box. As a first form of defense
Another layer of defense would be to sanitize user inputs to make sure nothing is getting through and no injections are happening. You could go the blacklist route here (Not Recommended) or build out a simple HTML encoder to pick up on things, like url query requests, script requests, etc.
Remember: Injecting can take form in attribute context, url context, javascript context, html context, and css context. (there's more but these are the main ones that cover the forum)
Sanitizing all of these is simple, just checking through the main input and encoding them via JS should be the only real thing needed to do here. This prevents them from putting or injecting anything dangerous onto the page. Of course this is also just the tip of the ice burg. but the tip is all we need for now I reckon.
So, how do we prevent those weird malicious urls that were trying to phish user IPs?
Well those are fairly simple too, to take a simple approach would be to check a url the person is clicking, if it isn't local to the forum or to a secure https connection, we should probably warn them before they leave the site like "Hey, we have no idea where this shits taking you, soooo you sure about this?"
Or you can be advanced and just have a bot run a query on the url to see what comes back and what it is doing upon accepting the connect then deny and block the url automatically. But thats a more... Advanced approach and requires CORs or backend configuration and all that wibbly wobbly stuff.
Anyway I guess I am done rambling.
TL;DR/Conclusion: Lock down your large inputs here. Put up some security or you're gonna have more than a few failure wannabes that copy/pasted something off some site somewhere. Or it'll be worse than a IP phisher. Keep your heads above the water. Oh, and keep up the good work.
Thanks,
KillParadise
