January 31st, 2002, 02:13 PM
Possible forum defacement?
I found this on hackinthebox.org:
Pretty clever..... Is AO secured for this type of "attack"? Probably it is, but I don't know for sure. Anyone want to try?
Well by request of Seraphi (who came to me wanting to know why I didn't make a posting about the 'defacement'),
here's the official report. Yes, x2renegade managed to find a bug with our forum code which didn't have a check for allowable HTML tags... This in turn resulted in x2renegade making a nuisance of him/herself by including large images into the subject and body fields along with a bunch of crap text to go with the mood I suppose.
Now is this a defacement? Some would probrably say it is -- while I personally don't see it that way. Most forums do allow the inclusion of images, however they're formatted (to a certain width and height) so they don't screw up the entire page. This is precisely what we forgot to do -- format the images before the posting gets made. As such, the mainpage looked 'compromised' due to the included images in the subject line (which would have been picked up when the "Last 10 Forum Postings" box gets loaded). I sincerely doubt this programming oversight constitutes as a defacement (how hard is it to do an img src = blah blah blah?). Anyways, this posting is to satisfy everyone that wanted to see one, and just to let you all know that we have traced the source IP for x2renegade, and investigations on the source access side have already begun (I just want to have a quiet word with x2renegade)... I guess I should be thankful to x2renegade for 'discovering' the flaw (which has since been fixed), however due to the nature in which he let us know about it is in my opinion shallow and unprofessional. But hey, what can I say right -- script kiddies will always be script kiddies.