eldest said: why not instead of wasting your time on a white/blacklist for sites, you simply make it you need a certain post count/account age to be able to post images? or a combination of both? all these tossers making dummy acounts to post gore shit wont be able to if you need, for example, a 3 month old account to be able to post images, or an account with x amount of posts. that way even if someone attempts to go to all that effort, instead of losing 30 seconds of time making a new account, it will take months. That will be unfair to new users and the problem we're having is a hacker. Little things like post count and account age don't matter much to one of those. |
 |
| As mentioned a few times before, the solution to the basic access authentication injection would be making sure the URL given to the img tag is a real image. However, doing this every time for every img tag with PHP isn't be viable for a site of huge size like this, since you have to download the image or a part of it. I was thinking that maybe you could make clients do the pre-check rather than handling it server-side. For instance, all img tags could be parsed with a loading image as a place holder and once the page loads, a JavaScript function could first make sure that the image is valid and then embed the image. In my tests with Chrome and Safari, if you provide a username and password for the AJAX call, browser doesn't trigger the basic access authentication pop-up. Here's an example code I have been testing things with: https://gist.github.com/silentguardian/7005884 I'm no expert when it comes to client-side scripting, so I'm sure if this will be a huge burden to the browser. Maybe images could be embedded as the image comes in sight of the user and this may even speed up the page loads or images that can't be loaded maybe marked as broken and removed in fail method. If the behavior is the same in other browsers too, it might be something to consider. |
| And slowly, you come to realize... It's all as it should be... |
basmimarsinan said: As mentioned a few times before, the solution to the basic access authentication injection would be making sure the URL given to the img tag is a real image. However, doing this every time for every img tag with PHP isn't be viable for a site of huge size like this, since you have to download the image or a part of it. I was thinking that maybe you could make clients do the pre-check rather than handling it server-side. For instance, all img tags could be parsed with a loading image as a place holder and once the page loads, a JavaScript function could first make sure that the image is valid and then embed the image. In my tests with Chrome and Safari, if you provide a username and password for the AJAX call, browser doesn't trigger the basic access authentication pop-up. Here's an example code I have been testing things with: https://gist.github.com/silentguardian/7005884 I'm no expert when it comes to client-side scripting, so I'm sure if this will be a huge burden to the browser. Maybe images could be embedded as the image comes in sight of the user and this may even speed up the page loads or images that can't be loaded maybe marked as broken and removed in fail method. If the behavior is the same in other browsers too, it might be something to consider. on the php note there are sites that use the signature php on their side, then refresh the image whenever there is an update to the list in question. one such site is: signature.i906.com.my they create dynamic signatures, it's all done on their side and used in IMG tag form. the URL tag they give you is easily removed so as not to bug people with no interest in clicking signatures. |
 |
| sorry for double post! Can anyone tell me how I keep seeing image signatures even though the img bbcode have been disabled? |
|
| Yeah, it's basic access authentication injection as was told here: Xinil said: This isn't an XSS issue. It's a 'basic access authentication' injection. We've largely resolved any XSS attacks. It's just how browsers behave. This post describes how you can replicate the issue: http://myanimelist.net/forum/?topicid=671199&show=80#msg25555311 And I was discussing some options here on the last page, if you are interested, which I guess will be lost anyway: http://myanimelist.net/forum/?topicid=671199&show=140#msg25775993 |
| And slowly, you come to realize... It's all as it should be... |
| I want img back like now! |
| Boa lek =P |
parfaited said: Each passing day without the ability to use [img] makes another day of my life wasted. Fixed. |
   |
Newser said: Not.parfaited said: Each passing day without the ability to use [img] makes another day of my life wasted. Fixed. |
| Hope you guys fix [img] soon! |
Undim said: I'm going to take an educated guess and say the issue is the code and not the gore. I don't think there's any way of allowing people to post images without allowing them to post gore images. You can take measures to prevent it from being spammed and you can make rules against doing it at all, but images are images. ^This, even with the idea of a "Whitelist" nothing stops someone from uploading gore images to a trusted site, is this the only thing preventing the [img] tag from coming back? or was the "fake login" stuff done via that BBCode also? If I'm not mistaken we have [img] working on our profile and club walls atm? Maybe we could at least have it working in Club Forums? I don't believe they really got hit with all the spam like the main boards did and its putting some Club stuff on hold since can't use the tag. Finally, Won't inappropriate images be less of a problem if the "fake login" is fixed? Will be no more multiple accounts posting the same stuff? Maybe I'm just optimistic. |
 |
| I really want to change my signature. >_< |
 "And if, there were so many people in the world, there had to be someone living an interesting life that wasn't ordinary. I was sure of it. Why wasn't that person me?" - The Melancholy of Haruhi Suzumiya Part V [/center] |
| I hope you can fix! I will be waiting to change my signature ~ |
 |
| Good luck in fixing! I just want to be able to get a signature in the first place...lol |
icantfeelmyarms said: Abreast = SideboobJoshyPHP said: abreast Sushiii said: If someone has to spend their time hacking MAL then time probably isn't an issue for them.Pls, just turn back image bbcodes! The hacker can't still be here. Who the fk has that much free time? |
MinagatachiOct 20, 2013 1:57 AM
| Signature removed. Please follow the signature rules, as defined in the Site & Forum Guidelines. |
| [img] come fast , fak those who misused it. I'm craving to change my sig , duh . |
"Children of Japan. And those who were once children. Listen! This is not a dream. This is not fiction. In reality, your superheroes were always fighting. To teach viewers courage and the meaning of justice! No matter how many enemies there are. No matter how strong evil is. Just remember. Does any another country have so many heroes? Has any another country been protected by multiple superheroes? Stand with me, friends! Remember when you used to watch your superheroes! Once you may have given up this dream. But today, you can be a hero!" - Kaname Jouji , Red Axe |
| Sorry for the question, but I noticed that too without putting the code [url] I was posting the link that I was set to give way, why? Before when the inserivo the tag on BBcode wrong! Is something wrong or am I not understand it? Thank you! |
 |
| @ Undim: Thanks! ^_^ |
|
| I think many (myself included) want [img] back partially to fix/change their signature. Those who have not changed their signature have not been effected though, so I'm thinking maybe it could be possible to have an individual appeal query for people to post so their sig can have the code applied? If it's even possible to turn it on individually for one sig for one update, anyways. |
 |
| I think MAL should accept safe sites for [img] tag. (flikr, tinypic etc) Like AniDB accepts few imagehosting sites. |
bxyhxyhOct 22, 2013 11:42 AM
Sorry for my bad English. |
| I for one have a lot of patience so I don't mind it too much :) |
 |
Xinil said: There are still issues we're trying to solve for [ img ], and if you're knowledgeable in the web space, please let us know any ideas you have on how to prevent [ img ] tags from loading malicious content from other sites. Our current best idea is a blacklist or whitelist of domains. Whitelist a certain few renowned ones like imgur, imageshack, flickr, tinypic and blacklist everything else. Man, I have been itching to make changes to my profile but I am stuck! :/ Why not make a poll to see how many of the MAL users a. are for whitelist/blacklist b. are okay with more time to look for alternative solutions c. don't care at all? I am sure of what most of us will be picking and with the results of the poll, MAL will have a resolute way to address the issue and put it to bed. It's been almost six years since I have been here and I still enjoy my time here everyday. Thanks for all the hard work! :) |
| Stay Home and Wash Your Hands. Protect Yourself. Protect Your Loved Ones. Protect Your Community and Help Defeat Coronavirus. |
| Some sites are known to use an imageshack account to put user-uploaded image content on. They would then create a link for that uploaded image with a domain as their own to redirect to that imageshack image. |
StefanBashkir said: Some sites are known to use an imageshack account to put user-uploaded image content on. They would then create a link for that uploaded image with a domain as their own to redirect to that imageshack image. Yeah, and while on that subject, a lot of people are using custom php signatures from like anime scripts and those are hosted on misc sites. I think a white list would not be a good solution. On the same side, a blacklist leaves too many holes open and if someone really wants to do an attack, it is not difficult to side step it. I do not think black listing would be good either. As a someone studying security, I really have shamefully little knowledge about how to actually go about preventing such exploits. I don't fully understand how the exploit occurs either so I guess that's no help xD |
|
| An easy way could be to make a image upload for signatures for now, although that will take away the huge amount of freedom we have, it will allow users to put new images on their forum settings. A few things might need to be implemented before that can work but it should be much simpler for the trade off of lack of creativity. However, in the time of writing this, I thought about having an upload image site on MAL for say 4 or 5 images as a image host with restrictions of course, that way it can be regulated in a way? (I'm aware of the server load and that's why I don't think this will work out, but who knows maybe) And while on that topic, we have an auto generating signature that I rarely see anyone use here. I mean it's kinda sitting there, perhaps you could use it as a starting ground for signatures hosted by MAL. |
 |
| fix plsssssssssssssss |
Xinil said: __________________________________________________________________________________________________________________There are still issues we're trying to solve for [ img ], and if you're knowledgeable in the web space, please let us know any ideas you have on how to prevent [ img ] tags from loading malicious content from other sites. Our current best idea is a blacklist or whitelist of domains. I may just be telling you something you already know, but I'll have a go at it anyway... I believe MAL has been suffering XSS (Cross-site scripting) attacks. Code is placed between the [img]...[/img] tags in a way that it leaks through into the HTML when the page is rendered. The malicious scripts are then run by the client web browser. The NoScript plugin on Firefox can kill these, but not everyone uses NoScript. It seems the industry standard solution is to filter out any keywords and characters commonly used in scripting. Everything other than the image url (including certain special characters) must be removed when converting [img]...[/img] to <img src= /> I'll reference the following articles: (Note: These are not detailed how-to guides, but they can point you in the right direction) Tip: Prevent XSS Attacks What is Cross Site Scripting and How Can You Fix it? Preventing XSS Attacks __________________________________________________________________________________________________________________ A blacklist or whitelist of domains is a bad idea because... Blacklist: * Domains are so easy and cheap (or free) to obtain that the hacker can just get a new one whenever one of his are blacklisted. Whitelist: * There are many different image hosting services in use by MAL users. You would need to add many different sites to the whitelist. * Not everyone hosts with image hosts: Some people self-host on their own domains, or use other services like Dropbox. There would just be too many possibilities to add them all. * If any of the approved sites are compromised, it defeats the purpose. More sites on the whitelist = greater possibility of MAL getting hacked. * It would no longer be possible to hotlink images that we find on google or other websites that have not yet been approved. * All of the above being a massive inconvenience for some MAL users. * It still won't block XSS: A hacker could use a legitimate image followed by his script to bypass the domain filter. __________________________________________________________________________________________________________________ If anyone is curious about my signature... __________________________________________________________________________________________________________________ |
NyaaOct 24, 2013 2:44 AM
 |
| The problem isn't XSS. See the following: basmimarsinan said: Yeah, it's basic access authentication injection as was told here: Xinil said: This isn't an XSS issue. It's a 'basic access authentication' injection. We've largely resolved any XSS attacks. It's just how browsers behave. This post describes how you can replicate the issue: http://myanimelist.net/forum/?topicid=671199&show=80#msg25555311 And I was discussing some options here on the last page, if you are interested, which I guess will be lost anyway: http://myanimelist.net/forum/?topicid=671199&show=140#msg25775993 |
| And slowly, you come to realize... It's all as it should be... |
| There are people out there who are writing entirely in bright yellow. I'm not sure if I welcome the colour feature back. |
BURSSS BURSSS BURSSS SWAG -GMCFosho |
basmimarsinan said: The problem isn't XSS. See the following: basmimarsinan said: Yeah, it's basic access authentication injection as was told here: Xinil said: This isn't an XSS issue. It's a 'basic access authentication' injection. We've largely resolved any XSS attacks. It's just how browsers behave. This post describes how you can replicate the issue: http://myanimelist.net/forum/?topicid=671199&show=80#msg25555311 And I was discussing some options here on the last page, if you are interested, which I guess will be lost anyway: http://myanimelist.net/forum/?topicid=671199&show=140#msg25775993 I obviously missed those posts. Thanks for the update. So, People are entering their MAL passwords into a form/dialog other than MAL's login page? 1. Place a warning on MAL's login page in big red text warning users not to enter their MAL passwords anywhere else. (even on other MAL pages). 3. I would suggest to simply check if the image file exists when converting images BBCode to HTML as the authorisation requirement would prevent MAL's web server form accessing the file. The problem with this and some of the previous suggestions in the thread is that the hacker could leave the image unprotected, successfully embed it, then modify his .htaccess file. MAL would have to check the images on each page load, which would probably be too much for the servers. And if it isn't, the extra resources consumed would make MAL even more susceptible to DDOS attacks. basmimarsinan said: 4. Your idea of using MAL's own javascript would keep the workload off the servers, but, I'm thinking the page load times may suffer on slow PCs - or at least the times it takes to fill in all the images - which may make it a nightmare to scroll.I was thinking that maybe you could make clients do the pre-check rather than handling it server-side. For instance, all img tags could be parsed with a loading image as a place holder and once the page loads, a JavaScript function could first make sure that the image is valid and then embed the image. In my tests with Chrome and Safari, if you provide a username and password for the AJAX call, browser doesn't trigger the basic access authentication pop-up. Still, it's the best solution so far. basmimarsinan said: This would be a huge improvement. I believe it has been requested multiple times on the suggestions forum before.Maybe images could be embedded as the image comes in sight of the user and this may even speed up the page loads or images that can't be loaded maybe marked as broken and removed in fail method. If the behavior is the same in other browsers too, it might be something to consider. It may mess with the scrolling, but it would do wonders for users with slower PCs and or internet connections. I personally support this. Also, images inside spoilers should not load until the spoiler tag is opened - just like youtube videos do. Which brings me to the next point... Why is the [yt][/yt] tag still disabled? Surely it doesn't suffer from the same vulnerability...? Back on topic... 5. If that doesn't work out, we may end up having to rely on a whitelist of reputable hosts that are more secure than MAL, and all the disadvantages that come with this solution. It also leaves open the vulnerability of existing embeds. The hacker simply needs to compromise any of thousands of sites from which images were previously already embedded on MAL, or buy the domain of one that's no longer around, configure the web server accordingly, and post a few links to the page it was embedded on. It may not be as effective, but he could still compromise a few accounts this way. Hikikomori2001 said: The workaround is obviously to just modify the image slightly, and post it again to circumvent the ban on the image.in addition to all the above mentioned things, here's another piece: when [img] code gets uploaded to MAL, generate a checksum code for the image checksum code gets stored in database if two same images are uploaded (even from different servers) they should generate the same checksum code, when mod ban's an image, that image's checksum code gets flagged in the database as a no-go and censored. ...not that I know anything of anything, and am probably reading the question wrong even....hehehe :D However, this did give me an idea... 6. To quickly identify compromised accounts and stop spammers: No-one posts the same image multiple times in quick succession if they're not spamming. Identify multiple postings of the same image (whether just checking the URL or using a checksum) and automatically disable - and flag for review - user accounts that embed the same image a certain amount of times within a certain time frame. A warning pop-up message could even be included to warn legitimate users one posting before they reach the auto-ban limit. More on XSS: (now less relevant) |
NyaaOct 24, 2013 5:19 PM
|
| ...and that's why NoScript add-on is a must have in your browser to prevent all those XSS attacks: https://addons.mozilla.org/en-US/firefox/addon/noscript/ |
 |
gamamew said: ...and that's why NoScript add-on is a must have in your browser to prevent all those XSS attacks: https://addons.mozilla.org/en-US/firefox/addon/noscript/ and what about people who doesn't use Firefox? Firefox is too slow, testing out the color :D |
| What's the vulnerability? if (filter_var($imageUrl, FILTER_VALIDATE_URL)) { // test if image url given is a valid url ... } <img src="<?=htmlspecialchars($imageUrl); ?>"... What's not safe about this if I may ask? |
  |
busydude said: Do the smart thing and upgrade to a better browser. *cough* Firefox. *cough*gamamew said: and what about people who doesn't use Firefox? Firefox is too slow, testing out the color :D...and that's why NoScript add-on is a must have in your browser to prevent all those XSS attacks: https://addons.mozilla.org/en-US/firefox/addon/noscript/ __________________________________________________________________________________________________________________ NoScript saved me during the last XSS attacks, but as I was just informed a few posts ago, it seems that the XSS problem has already been solved and the issue now is "basic access authentication injection". If I read the previous posts correctly, this is what happens... By refrencing an image on a password protected web server, the hacker causes your web browser to present you with a password dialog. Despite this looking nothing like the MAL login page, some of the less intelligent users are typing their MAL login details in there, thinking it comes from MAL, and blindly handing their usernames and passwords to the hacker. |
|
Virtual_BS said: busydude said: Do the smart thing and upgrade to a better browser. *cough* Firefox. *cough*gamamew said: and what about people who doesn't use Firefox? Firefox is too slow, testing out the color :D...and that's why NoScript add-on is a must have in your browser to prevent all those XSS attacks: https://addons.mozilla.org/en-US/firefox/addon/noscript/ __________________________________________________________________________________________________________________ NoScript saved me during the last XSS attacks, but as I was just informed a few posts ago, it seems that the XSS problem has already been solved and the issue now is "basic access authentication injection". If I read the previous posts correctly, this is what happens... By refrencing an image on a password protected web server, the hacker causes your web browser to present you with a password dialog. Despite this looking nothing like the MAL login page, some of the less intelligent users are typing their MAL login details in there, thinking it comes from MAL, and blindly handing their usernames and passwords to the hacker. *cough*I used Firefox for many years, and found it slow.. that's why I switched to Chrome*cough* |
busydude said: Chrome had it's moment of glory, Firefox is faster than chrome now.*cough*I used Firefox for many years, and found it slow.. that's why I switched to Chrome*cough* It also doesn't crash as often as chrome does. I tried chrome briefly on my laptop a few weeks ago. It used 4 times more ram than Firefox and froze for minutes at a time when I had 5 or more tabs open. Firefox didn't have that problem. As long as you don't install bad extensions, or more extensions than you have RAM for, Firefox is fast an efficient. Plugins are isolated, so they don't crash the browser. On the rare occasion that it does crash, it restores your tabs as if nothing happened. It also has far better security and more fine-grained privacy settings standard, and better extensions are available for Firefox than chrome. |
|
PonyMaster5000 said: Maybe you're just having issues; MAL has always updated immediately for me.Have you guys done anything recently with the servers? They're running MUCH faster than before. I just plugged in that I rewatched Welcome to the NHK 3 hours ago, and it UPDATED. |
|
| THANKS ALOT |
Virtual_BS said: Actually there have been some improvements to the statistics calculation recently. Stats are updating faster than before. Everything else has always been fairly immediate. That is unrelated to the bbcode, however.PonyMaster5000 said: Maybe you're just having issues; MAL has always updated immediately for me.Have you guys done anything recently with the servers? They're running MUCH faster than before. I just plugged in that I rewatched Welcome to the NHK 3 hours ago, and it UPDATED. |
 I am a banana. |
busydude said: Sorry the NoScript author already said that because of the multiprocess tab architecture of chrome it prevents the plug in to work as it should.gamamew said: ...and that's why NoScript add-on is a must have in your browser to prevent all those XSS attacks: https://addons.mozilla.org/en-US/firefox/addon/noscript/ and what about people who doesn't use Firefox? Firefox is too slow, testing out the color :D In other words it can't be ported to Chrome easily, more like it has to be redesigned from zero. But there are 2 alternative options (as far as I now) for Chrome: - NoScripts: https://chrome.google.com/webstore/detail/notscripts/odjhifogjcknibkahlpidmdajjpkkcfn - ScriptSafe: https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf/details I haven't tried those since I'm a Firefox user and don't know if they are as good as FF's NoScript. |
| |
| I noticed the login page is now blocked by a CAPTCHA. This would be great if it wasn't also blocking MAL Updater from connecting to my list :( |
|
| I'm still not able to change my sig, IMG not working :/ |
| Not seen the CAPTCHA myself yet, I'm having so many login problems though :( finally did not tick Remember Me and got in but for how long who knows. I'm curious if the CAPTCHA is a solution that might mean [img] comes back... I imagine the use for it is to block a bot to logging into various accounts for spamming, or maybe its a complete different reason but I can't imagine another one atm. |
|
Hmm, I haven't seen that CAPTCHA either. I guess all the new updates isn't working then?  Posts! |
VenneriaOct 28, 2013 2:24 AM
| This whole vulnerability thing and disabling various features and now adding a non-human wall is getting kind of ridiculous. It's breaking anything that is not manual like automatic/manual list updating applications (MAL Updater), things trying to read the RSS feeds like dynamic signatures, and probably even mal graph. I said earlier in the thread that even though I'm supposed to be a professional in this field, I would not have any experience to fix it, but I definitely do not see this capcha thing as a remotely good solution. I'm not critisizing whoever's idea it is, because I'm sure they don't think so either nor are my ideas actaully rooted in experience (so I don't bother saying them), but I hope a new, better solution can be implemented. I think someone out there has to know a solution to these vulnerabilities. As I see it, what is being done now is not a solution; it's a work around >_<. I don't believe white/black listing is a solution either as they are quite easy to work around too and come with their own various problems. tl;dr this post is a lot of ranting that does no help but I still hope you can figure out a solution :) |
|
Virtual_BS said: I noticed the login page is now blocked by a CAPTCHA. This would be great if it wasn't also blocking MAL Updater from connecting to my list :( Ah, so that's why MALUpdater has not been connecting to my list. It does update it though I don't know how (I was watching Outbreak Company two nights ago and it updated my list, despite being unable to connect to the server). |
|
More topics from this board
» [Challenge] You Should Read This Manga 2024 ( 1 2 3 4 5 )Kineta - Feb 23 |
208 |
by Nikmomo93
»»
2 hours ago |
|
» Try MAL's New Mobile Site! ( 1 2 3 4 5 ... Last Page )Xinil - Feb 15, 2015 |
423 |
by RED-clover12
»»
7 hours ago |
|
» Planned 5hr Maintenance, Thursday April 25 @ 1am-6am PTKineta - Apr 22 |
0 |
by Kineta
»»
Apr 22, 8:10 PM |
|
» New Site Update: Peak Anime 🗻 ( 1 2 3 4 5 )Kineta - Mar 31 |
213 |
by Lancelot73
»»
Apr 21, 4:28 AM |
|
» Heavenly Easter Delusion: Devil and Dolce ( 1 2 3 4 5 ... Last Page )Kineta - Mar 27 |
3332 |
by Terra_strong
»»
Apr 17, 8:26 PM |