Something we should fix on Advogato perhaps
Posted 28 Feb 2003 at 10:21 UTC by gilbou Share This

It is possible to save any page where a "Type of relationship" is present. I don't know if we should fix this but it allows people to insert anything they want as info.

Take any project page. Save it on your hard-disk. Edit the HTML and replace this :

<form method="POST" action="../relsub.html">

by this:

<form method="POST" action="http://www.advogato.org/proj/relsub.html">

Now, edit the pop-up list. For example for the OpenBSD project I added the "Addict" type. Save the file and load it onto your mozilla.

Now you can select the new type and post it. If you want to see an example of this, check my own account. I added a few relationsships from my account to a few projects, using custom "strings".

Of course, I did it just as a proof of concept, there is no bad intent there, please be nice with my account admins :-)

Should we fix this ?

What will happen if someone nasty wants to pollute project pages with list-data very long and annoying ?

Injection ?, posted 28 Feb 2003 at 10:41 UTC by gilbou » (Journeyer)

Another thought. Do you guys think this could be used to inject code into a project page ?

Old news .. , posted 28 Feb 2003 at 11:32 UTC by Stevey » (Master)

It used to be possible to inject code into peoples profiles page, but that has been plugged for a while.

I wrote about it at the time, and produced an advisory:

http://www.steve.org.uk/Hacks/Advogato.html

Re: Injection ?, posted 28 Feb 2003 at 11:43 UTC by redi » (Journeyer)

The text that you submit for the relationship type is allowed to be arbitrary, see The Universe or Beer for examples of how this is used harmlessly. This is different from the certification types, which are checked against the list of pre-defined types. The relationship text is escaped to prevent you using < or > characters there, which prevents you injecting a <script> tag or similar attack into any pages. It also doesn't seem to be vulnerable to some of the other injection attacks virgule is vulnerable to. I'd recommend keeping the arbitrary relationship text. It's fun.

:o), posted 28 Feb 2003 at 11:44 UTC by gilbou » (Journeyer)

Well it's quite fun :-) Is this limited on size so custom texts won't get tooooo big ?

I'd leave it..., posted 6 Mar 2003 at 12:28 UTC by blindcoder » (Journeyer)

as it is as long as it doesn't get abused too much...
Maybe sending a mail to the project owner to approve "non-standard" types so that it is at least lupervised.

Would then also make a neat implicit feature :)

New Advogato Features

FOAF updates: Trust rankings are now exported, making the data available to other users and websites. An external FOAF URI has been added, allowing users to link to an additional FOAF file.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!

X
Share this page