We build. You grow.

Get best community software here

Start a social network, a fan-site, an education project with oxwall - free opensource community software

Get started
Google+

OEmbed has lots of bugs and major xss vulnerabilities. | Forum

Topic location: Forum home » Support » Bug reports and troubleshooting
Akash
Akash Jan 15 '16
Oxwalls oEmbed feature has a large number of bugs and most importantly xss vulnerabilities.  


Suppose if i write a website 


<html>

<title>Test <script>//my javascript code</script></title>

<body>

</body>

</html>


and embed it as oembed link then, well your imagination is your only limitation what could be done with the entire website.

I have seen and read the most of the oxwall scripts but I did not find any good prevention of any attacks and i really feel bad about it. I hope you guys can do better. 


And one more thing, if you guys want then you guys can use my oEmbed script which I made for my own website I am developing currently and I would love that. 

PHPOEmbed v1.5.3 

The Forum post is edited by Akash Jan 15 '16
#1
ross Team
ross Jan 18 '16
can you provide the exact "bad javascript code" which oembed will parse into oxwall website and can you provide xss vulnerabilities we have as well?
The Forum post is edited by ross Jan 18 '16
#2
Akash
Akash Jan 18 '16
You might wanna check this video. Remember this video is only made for an example.



Sorry no hard feelings. You guys made oxwall, if anything happens bad to oxwall users its it oxwall teams responsibility. I am no one here I am just a guy who was passing through you guys and found some mistake and wanted to help. oxwall is yours and choice is also yours. And this is the last time I replied. good luck.

The Forum post is edited by Akash Jan 18 '16
#3
UTAN
UTAN Jan 18 '16
I haven't tested, but if Oxwall is really vulnerable you shouldn't have disclose it here..

I know u did with good intention , Devs get a release as soon as possible Xss is no joke ,

Can we disable url posting to mitigate this vulnerability? 

I am not home to this now.
The Forum post is edited by UTAN Jan 18 '16
#4
ross Team
ross Jan 19 '16
I have reported this to our devs it will be fixed asap. Thanks for sharing. 
#5
UTAN
UTAN Jan 19 '16
@ross, any way to disable it? just to mitigate while DEVS fix the issue?
#6
JoshWho
JoshWho Jan 19 '16
I still can't replicate that. There must be some really weak security on that server for that to work. 
#7
JoshWho
JoshWho Jan 19 '16
I figured out Why I couldn't replicate it. It is because I do not allow external links to be opened in the same page. I use the plugin http://www.oxwall.org/store/item/605  and it seems to stop that.
#8
Scott
Scott Jan 20 '16
Following 
#9
ross Team
ross Jan 20 '16

Quote from UTAN @ross, any way to disable it? just to mitigate while DEVS fix the issue?
disabling status updating on your website via user user roles may do that, however users still will be able to post statuses on the profile pages. 
#10
UTAN
UTAN Jan 21 '16
I have mitigated, the post of how is here http://www.oxwall.org/forum/topic/44516

only way I could find unless I start sneaking into the code base to see what is called..

but don't have enough acknowledge of Oxwall internals.
The Forum post is edited by UTAN Jan 21 '16
#11
Akash
Akash Jan 21 '16
As i can see every body is getting insane here. I could not stop myself but replying this one. Open ow_libraries/oembed/oembed.php follow from line 204. replace this code.. 
return array(
'type' => 'link',
'description' => $description,
'title' => $title,
'thumbnail_url' => $firstImg,
'allImages' => $images
);
to ... 
return array(
'type' => 'link',
'description' => htmlentities($description, ENT_QUOTES, 'UTF-8'),
'title' => htmlentities($title, ENT_QUOTES, 'UTF-8'),
'thumbnail_url' => $firstImg,
'allImages' => $images
);
Remember this is a quick fix. but it will work for now until developers does something for this issue. I also recommend developers do not use this method for production.

The Forum post is edited by Akash Jan 21 '16
#12
kalvindarwan
kalvindarwan Dec 21 '23
If you cannot bring the car to us for whatever reason, we can come to you and repair it from your place. Costa Mesa Pro Landscapers
#13
James Walter
James Walter Jan 2 '24
That’s why we offer maintenance services for your trucks so you can be worry-free! Davenport Mobile Truck Repair
#14
Start | Demo | About | Policies & Licenses | Blog | Contact Us | Oxwall Foundation | Roadmap | Developer Central | Oxwall hosting | Contribute | Partners | Donation | Community software | Dating software
© Copyright Oxwall Software
Oxwall Community Software