Forum Settings
Forums
New
Oct 3, 2013 11:12 AM
#1
Overlord

Offline
Nov 2004
5752
Before I mention anything, I want to apologize to everyone for the extended crippling of our bbcode.

If you're not aware, [ img ], [ color ], [ url ], and [ yt ] tags have been disabled for some time. Today we're re-enabling [ color] and [ url ] tags.

There are still issues we're trying to solve for [ img ], and if you're knowledgeable in the web space, please let us know any ideas you have on how to prevent [ img ] tags from loading malicious content from other sites. Our current best idea is a blacklist or whitelist of domains.

We apologize for the inconvenience and hope to have this issue resolved in the near future. Any help we can get will surely enable us to get a fix out faster.
Pages (29) [1] 2 3 » ... Last »
Oct 3, 2013 11:15 AM
#2

Offline
Jun 2012
6493
thank god we have color back
Oct 3, 2013 11:16 AM
#3

Offline
Mar 2012
18961
I'm itching to change my sig.
Kickstarter for Rokujouma is fully funded. Good work everyone. Lets wait for the result of our hard work together.
Oct 3, 2013 11:36 AM
#4

Offline
Jul 2011
3922
Thank you!

"A half moon, it has a dark half and a bright half, just like me…", Yuno Gasai
Oct 3, 2013 11:47 AM
#5

Offline
Aug 2012
828
Its a step to having everything back to normal, keep up the good work.



Oct 3, 2013 11:48 AM
#6
Oct 3, 2013 11:49 AM
#7

Offline
Jul 2013
358
It'd okay man, take your time.
Oct 3, 2013 11:50 AM
#8

Offline
Mar 2008
3185
Thanks for the update Xinil!
Oct 3, 2013 12:29 PM
#9

Offline
Jun 2012
13754
Thanks for the update, and that's great.
NeoAnkara said:
I'm itching to change my sig.

Though I agree with this.
Oct 3, 2013 12:34 PM

Offline
Dec 2012
3019
This is a good news for MAL
Oct 3, 2013 12:34 PM

Offline
Apr 2013
14519
This is great. Nice work.
an egomaniac and a fool

Oct 3, 2013 12:43 PM

Offline
Apr 2012
4896
Thanks, and good luck!
Oct 3, 2013 12:46 PM

Offline
Feb 2012
5478
Thank you!
Oct 3, 2013 1:15 PM

Offline
May 2012
19510
Ahh, I miss color BBCode so much x3
Glad the url code is back too.

Oct 3, 2013 1:22 PM

Offline
Dec 2012
1898
What the point of having color BBcode if you gonna have a bunch of people complain about it being used?

irony
Schools out, No job at moment, STILL hello MAL Eh..I will try to be online
Oct 3, 2013 1:36 PM

Offline
Sep 2010
396
img bbcode is really vulnerable to xss type attacks, its because of hackers we can't have nice things.
Oct 3, 2013 1:38 PM

Offline
Dec 2009
603
About dang time Xinil, I think half the site was about ready to hang you for taking so long to give us an update. At least we know you care, unlike others who care more for popularity. Thank you for trying your hardest to bring them back up, Xinil.

Now, in regards to the way your other mods pick new mods, I believe TallonKarrde23 has some much needed ideas to discuss with you.

Oct 3, 2013 1:45 PM
Offline
Jul 2018
564084
YAY!
Oct 3, 2013 1:45 PM

Offline
Jun 2009
693
Thank you, Xinil! Much appreciated. It’s good to have features back.
I think, then procrastinate.
Therefore, I am.
Oct 3, 2013 2:51 PM

Offline
Nov 2012
694
COLOR!!
Oct 3, 2013 3:01 PM

Offline
Dec 2012
3002
NeoAnkara said:
I'm itching to change my sig.


In the mean time you can experiment with colors!
Oct 3, 2013 3:04 PM

Offline
Jan 2013
730
You won't get past blacklisting URL it is the most effective precaution. Also filtering words like 'gore', 'xxx', etc. in the links is very effective. Making the images non-clickable can help.

Then there is also the possibility of loading the image over the server proxy, preventing the attacker to directly attack the users.

The use of an image filter would be a waste because there are more than enough character images that would proc the filter.
Oct 3, 2013 3:31 PM

Offline
Jun 2013
6077
KYA!
Looking forward to [img].
Oct 3, 2013 3:42 PM

Offline
Mar 2010
13681
Ty. for color/url!
Oct 3, 2013 3:47 PM

Offline
Jun 2007
2669
There's like a billion articles on how to prevent injection for home made bbcode. Here's one http://www.webhostingtalk.com/showthread.php?t=682647
Oct 3, 2013 3:49 PM

Offline
Jan 2013
1233
MAL is colorful once again!
Oct 3, 2013 3:50 PM

Offline
Oct 2012
444
As for the img, how about adding a 'Spam' button when hovering an image, and once someone(any member on the forum) presses it, the image is replaced with a spoiler button but with the name 'Show Spam', and a list of blocked images is updated that the mods can go through. But everyone can still see the blocked image by pressing the 'Show Spam' button, until a moderator takes a look at the image and if it's okay it's unblocked and if it's not okay the mod removes it permanently.

The 'Spam' button would of course open a dialog box where the user has to confirm the block and also maybe enter a captcha, and of course the username is saved, in case the user is trying to block images just to be an ass.
BaqaOct 3, 2013 4:05 PM
Oct 3, 2013 4:29 PM

Offline
Jan 2013
9442
I say you should make a whitelist with the most used web image hosters, like flickr, imageshack, photobucket, signavatar. And slowly expand it to some other websites by having request from users. And where we have the signature settings to have the supported websites listed so people can see why their picture might not work and what they could use.
Oct 3, 2013 5:21 PM

Offline
May 2011
5184
Thanks a lot
Oct 3, 2013 5:51 PM

Offline
May 2012
124
Many thanks. I'm looking forward to get [img] again for my signature I made 2 weeks ago.
Oct 3, 2013 5:56 PM

Offline
Dec 2012
4876
Do not worry about it. As long as it is for a better MAL. And thank you for the update.
I like anime.
Oct 3, 2013 6:23 PM

Offline
Nov 2010
2648
thank you for the updates! :D
Oct 3, 2013 6:25 PM

Offline
Aug 2012
16892
FINALLY.
Oct 3, 2013 6:26 PM

Offline
Oct 2013
289
SUPERB!!!!!!


"Hello."

Oct 3, 2013 6:50 PM

Offline
Apr 2009
376
My Profile picture isn't working. Is it supposed to be or no?
Oct 3, 2013 7:01 PM
Overlord

Offline
Nov 2004
5752
DeathfireD said:
There's like a billion articles on how to prevent injection for home made bbcode. Here's one http://www.webhostingtalk.com/showthread.php?t=682647
This isn't an XSS issue. It's a 'basic access authentication' injection. We've largely resolved any XSS attacks.
Oct 3, 2013 7:45 PM

Offline
Feb 2013
6196
Xinil said:
It's a 'basic access authentication' injection.
It's a browser issue. Unfortunately they all seem to handle this in the worst possible way. (I have since replicated the issue with wamp on my machine for fun)

I think the only thing you can do is have the server request the resources that people try to post for images. If there isn't an image on the other end... well, you decide what the consequences are. (easymode would be just stripping it from the post... or autoban, but that might be too much). Obviously that would put a load on the server. Even this can be bypassed, by detecting the MAL server IP and serving an image to it so the post gets made... unless you proxy...

There is no way to deal with this 100% without the browsers doing something about it. There will always be people that don't know any better.
BurntJellyOct 3, 2013 7:52 PM
Oct 3, 2013 8:20 PM

Offline
Oct 2012
69
IT'S ABOUT TIME!!!!

I have to admit, I am upset that [ img ] is not working and/or available at the moment, but at least we finally got some sort of update. To be honest, although I am happy to see this update on MAL, I question why we could not be informed of this sooner. I guess it doesn't matter that much now, but just saying....
Oct 3, 2013 8:22 PM

Offline
Dec 2012
2736
Damn... The only two that I didn't care about gets enabled

@topic question

I am 100% sure you could google it



Oct 3, 2013 8:34 PM

Offline
Apr 2009
376
Profile pic is now working again :)
Oct 3, 2013 8:45 PM

Offline
Jul 2013
94
Thank you for your efforts! Can't wait to finally make a sig that isn't just a jumble of Url and Img words!
Oct 3, 2013 8:49 PM

Offline
Jun 2007
2669
BurntJelly said:
Xinil said:
It's a 'basic access authentication' injection.
It's a browser issue. Unfortunately they all seem to handle this in the worst possible way. (I have since replicated the issue with wamp on my machine for fun)

I think the only thing you can do is have the server request the resources that people try to post for images. If there isn't an image on the other end... well, you decide what the consequences are. (easymode would be just stripping it from the post... or autoban, but that might be too much). Obviously that would put a load on the server. Even this can be bypassed, by detecting the MAL server IP and serving an image to it so the post gets made... unless you proxy...

There is no way to deal with this 100% without the browsers doing something about it. There will always be people that don't know any better.


Ah I was under the impression that it was XSS, my bad. I'm not familiar with authentication injection but couldn't you just check the image's exif info using exif_imagetype in PHP? If it's an authentication injection than php wont be able to return any exif info since it'll be redirected by the "hackers" sever to a script. Xinil could do something like this when converting to BBcode to html. If the image fails then strip the bbcode out.

<?php
$bbcodeImage = 'https://www.google.com/images/srpr/logo6w.png';

if (exif_imagetype($bbcodeImage) != IMAGETYPE_PNG){
if (exif_imagetype($bbcodeImage) != IMAGETYPE_JPEG){
if (exif_imagetype($bbcodeImage) != IMAGETYPE_GIF) {
echo 'This is not an image';
}else{
echo 'this is a gif';
}
}else {
echo 'this is a jpeg';
}
}else{
echo 'this is a png';
}
?>
Oct 3, 2013 9:14 PM

Offline
Jul 2008
4806
Xinil said:

There are still issues we're trying to solve for [ img ], and if you're knowledgeable in the web space, please let us know any ideas you have on how to prevent [ img ] tags from loading malicious content from other sites. Our current best idea is a blacklist or whitelist of domains.


From an usability point of view, a whitelist is never a good idea since it restrict the user too much. A blacklist is a good second measure idea but it will also not be able to fully protect the users since it is easy for anyone to create a get a new domain. This also means that you will have to rely on people's report submission to find the problematic images and ban their domain which in every case will create some incident.

As for a primary solution have you tried the following?
-Verify if every image URL have tags inside of them before actually accepting the image, if they do you only have to refuse the post.
-Verify if the link to the image exist before actually showing it. This will stop people form abusing the onerror injection. Now I'm sure there's a way to test if the link contains only an image or not but I'm still not experienced enough to help on that end.

You also might want to check this
[url]http://www.webhostingtalk.com/showthread.php?t=682647[/url]
Oct 3, 2013 9:28 PM

Offline
Jul 2013
9331
COLORS!!!
Oct 3, 2013 9:36 PM

Offline
Mar 2010
439
Yey! Hoping for [img] code next time.
Oct 3, 2013 9:57 PM

Offline
Aug 2011
22
Thank you! Good luck with the [img] issues...

Please take your time to make MAL a safer place ^^
Oct 3, 2013 11:18 PM
Offline
Mar 2012
12938
Oct 3, 2013 11:26 PM

Offline
Dec 2012
4478
Oct 4, 2013 12:11 AM

Offline
Jun 2010
354
Why not [img] m8?

Oct 4, 2013 12:50 AM
Offline
Oct 2013
6
Hi,

I'm the author of a text-formatting library that handles BBCodes and other kinds of markup. You can find it on GitHub: s9e\TextFormatter. I've found this thread via a Google Alert that I have on BBCode-related keywords. I use Google Alerts to keep abreast of issues other people have with BBCodes, which brought me here.

@Xinil: what do you mean exactly by "loading malicious content from other sites"?

Some people mentionned XSS. There are two ways to exploit XSS: via a javascript: link and by breaking out of the attribute value. For the first one, I recommend having a whitelist of allowed schemes. In simple terms, test that every links starts with "http://" or "https://". For the second one, as long as the value is output between quotes (and since this page is XHTML, quotes are not optional anyway) and that you use htmlspecialchars() (possibly with ENT_QUOTES if you use single-quotes for HTML attributes) you should be safe. Although, come to think of it I realize that you might be simply using preg_replace() to replace BBCodes with HTML. That's typically the problem with most BBCode engines. In that case, you can use preg_replace_callback() to specifically target img BBCodes (and url BBCodes too) so that you can actually validate and sanitize the URL.

Now if your concern is that malicious users could use img BBCodes to load arbitrary resources in a user's cache, then there's no way but using a whitelist of trusted hosts, such as imgur.com. Blacklists can be sidestepped with any URL redirector and checking the resource to see if it's an image only works if the server serves the resource indiscriminately. For instance, a server could send an image to Firefox users and something completely different to Internet Explorer users. Or it can be an image at the time of the posting and something different five minutes later.

Now with that said, I don't see a need for checking images. To the best of my knowledge the img element cannot be abused that. You can load the most virulent virus of the universe in an img element, it won't do anything. If it could, spammers would infect the whole planet via reddit's /r/pics.
Pages (29) [1] 2 3 » ... Last »

More topics from this board

» MAL Secret Santa 2024 ( 1 2 3 )

Kineta - Nov 17

101 by Smaugler »»
11 minutes ago

» MAL Bunkasai 2024 ( 1 2 )

Kineta - Nov 14

83 by Daviljoe193 »»
56 minutes ago

» MAL Game "Fantasy Anime League" Opens for Fall 2024 ( 1 2 3 4 )

Kineta - Sep 12

155 by foreverentwined »»
Yesterday, 3:48 AM

» MALoween✟Mansion: Kaijuu No. 11 ~Dead Dead Dessert Dededede Destruction~ ( 1 2 3 4 )

Kineta - Oct 20

199 by Lucciphero »»
Nov 20, 11:13 AM

» [Update Nov 7] Anime List Notes: Easily share thoughts with friends ( 1 2 )

Kineta - Sep 26, 2022

81 by Fadedboar »»
Nov 15, 1:04 AM
It’s time to ditch the text file.
Keep track of your anime easily by creating your own list.
Sign Up Login