phpBB HTML MOD

User avatar
axew3
w3all User
w3all User
Posts: 2578
Joined: Fri Jan 22, 2016 5:15 pm
Location: Italy
Contact:

Re: phpBB HTML MOD

Post by axew3 »

... Your post has been validated as is, but i am sorry for you...
You do not belong to admin group, nor to a group allowed to parse phpBB posts as html.
...<b> your post is not parsed as html, but like phpBB normal post</b>.
Who is in charge to archive the post is the native phpBB code, not the extension code. The extension code just let parse a post as html, if you as author are allowed to do so (and you added the placeholder on post).
Are you an admin here? or a moderator that can edit posts (**so that could put malicious code into the post... it will be fixed next 1.0.1).

I forget to mention that the post DO NOT NEED to contain bbcode and/or <b>SMILIES</b>! Or the post will be parsed as pure text!

If anybody able to exploit this, i will paypal 300$.
I make it easier for you: the placeholder is the default here.

Ps** about unique security risk i see: the unique problem that can come out, is that if a post is by an admin, then a moderator (which should not be allowed to edit the html post) go to edit it and putting on it some malicious code.
It also will be fixed, the post containing html code to be parsed will be allowed to be edited only if the user belong to admin group, or the user id is one of the allowed to post/edit html, and not if is just moderator allowed to edit posts.

I am thinking to add feature by IDS. Only specified user's IDS and admins, will be allowed to have posts parsed as html when they need or to edit.
Should be nice.

User avatar
axew3
w3all User
w3all User
Posts: 2578
Joined: Fri Jan 22, 2016 5:15 pm
Location: Italy
Contact:

Re: phpBB HTML MOD

Post by axew3 »

So, to finalize the concept why, many had think that html on phpBB was not safe, is mainly due to a problem i have after think about:

how to avoid the problem that an user, allowed to parse html on posts, go to insert a new html post, then a moderator come to edit his post, adding more malicious code?

The solution to this could be a flag added into post's data arrays using a listener, that after let detect if it is an html post or not, and if a moderator so, can or not edit it.
OR, instead, another easy solution that i will apply will this:
since it has been added an array of usersIDS to detect that an user, beside if he is admin, or normal user, can or not add html on posts, then if/when an user that do not belong to admins group, or do not have the ID into the html allowed users array, then when he will go to edit a post containing the [HTMLMARKUP] tag, and will go to save it, the post will be cleaned up by any htmlplaceholder.
Problem resolved. His edit on html posts will have no effect.
Unique misleading behavior is that if a moderator go to edit an html post which should not, because his id is not on the array of allowed users, and it contain the html placeholder, then the post will be cleaned up of html tags. And his malicious intent will fail.
When the admin will discover that his post is not anymore html due to an edit by a moderator, may he will know that it is time to ban this user.

This will demonstrate that safe html on phpBB posts is very possible. It is coming 1.0.1.
Stay tuned lovely and cool people.

User avatar
axew3
w3all User
w3all User
Posts: 2578
Joined: Fri Jan 22, 2016 5:15 pm
Location: Italy
Contact:

Re: phpBB HTML MOD

Post by axew3 »

Yes, the problem has been resolved.
Adding userIDs allowed to parse html on posts, it is possible to cleanup the post text from the html placeholder, if the user is not an admin or his user ID do not belong to the array of users allowed to parse html.
It has been really easy.

a code comment say this (on coming 1.0.1)
// the only inconsistency is that if a moderator edits a post of a user who has permission to execute html on the post:
// the html on post will be nullified, because any html placeholders will be removed from the post before to be stored
// NOBODY but admins and usersIDS on 'uids_html_allowed_ary' can post the Html markup placeholder
That is.

User avatar
axew3
w3all User
w3all User
Posts: 2578
Joined: Fri Jan 22, 2016 5:15 pm
Location: Italy
Contact:

Re: phpBB HTML MOD

Post by axew3 »

1.0.1 is coming, i like to log how it work the whole thing and how it has been possible to make it safe to be used, also when a moderator could edit a post that contain the [HTMLMARKUP] placeholder, adding malicious code on it.

How it has been resolved?
The whole logic do this:

When a post is inserted, **if the user that is posting do NOT belong to admins, or to the array of user's IDS allowed to use the [HTMLMARKUP] placeholder into phpBB posts, the post will be cleaned UP of all [HTMLMARKUP] placeholders.
But the security is not limited to this.
When a request is done to phpBB to display a post, it will be parsed as HTML only if the user that posted the post, BELONG to admins group, or the poster userID exist into the array of user's IDS allowed to manage html into phpBB posts.

**
What about if a moderator go to edit an admin post or a post of an userID allowed to parse posts as html, injecting malicious code?

Nothing will happen. The post will be cleaned up of any [HTMLMARKUP] placeholders, and the post will become a normal post.

No way to get out by this situation. HTML posts into phpBB is now possible.
Many said phpBB html posts was/is not safe...
Stay tuned ... it will be cool

User avatar
axew3
w3all User
w3all User
Posts: 2578
Joined: Fri Jan 22, 2016 5:15 pm
Location: Italy
Contact:

Re: phpBB HTML MOD

Post by axew3 »

I liked to move the code of the HTML on posts to the next step in few lines of code, it allows to parse HTML only to ADMINS group, and all users that are into the allowed passed UIDS array.

Only these users can add the [HTMLMARKUP]. Any other that attempt to add into a post and is not allowed cause that the post is cleaned up of the (any) [HTMLMARKUP] placeholder.
Any other user allowed to edit posts, that will attempt to edit a post with [HTMLMARKUP] placeholder, if do not belong to admins or allowed array of userIDS (even if a moderator) will cause that the post will be cleaned up from the html placeholdrer, so that the post will return to be a normal post, parsed by phpBB in the common way.

I liked also, in really few lines, to cleanup the html markup so to have the ability to post something like this (the embed share code from youtube):

Code: Select all

<iframe width="560" height="315" src="https://www.youtube.com/embed/MmOau-PMWJk" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
<script>alert('It must have been an angel come down from above');
</script>

<p style="text-align:center;font-size:120%;padding:20px;">I liked to add also this!</p>

<iframe width="560" height="315" src="https://www.youtube.com/embed/wqFeYSCDXzY" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
note that the javascript come in two lines and normally phpBB parsing functions, would add so a tag <br /> that make it fail the parsing of the code, the result would be this:

Code: Select all

<script>alert('I have youtube any any html embedded into a post');
<br />
</script>

It has been resolved, and the code perform more basic cleanups but may something more need to be fixed.
It work any test i did at moment, the 1.0.1 will so soon released after some little more test.
This is not an HTML post, but next in reply will be, using same code as the example above. It start with [HTMLMARKUP] and only my user and the admins group can edit the post adding something wrong.

User avatar
axew3
w3all User
w3all User
Posts: 2578
Joined: Fri Jan 22, 2016 5:15 pm
Location: Italy
Contact:

Re: phpBB HTML MOD

Post by axew3 »

I liked to add also this!


Post Reply