|
|
|
Old timers are used to the forum failing in various ways. Think how newcomers must feel when they ask a support question because they are having trouble running their newly installed SL and are told their post is forbidden.
If this is just an issue of them trying to sanitize SQL injection attack vectors then they really need to think harder about website security.
Upping the priority of this issue to major since this seems to be a fairly serious issue. I'm somewhat surprised that this wasn't already a major issue.
> If this is just an issue of them trying to sanitize SQL injection attack vectors then they really need to think harder about website security.
I disagree. You should never have one security layer. But several. This is not how you protect a website from SQL injection attacks.
Now, I don't expect them to fix this, since they're going to replace the forums some time in 2007... I mean 2008... but I'm voting for it anyway. Indeed. It is simply a matter of sanitizing data passed into the REAL SQL statements.
There ARE functions to do this, and using them is TRIVIAL. Seems to me like there was indication of a known SQL injection attack vector, and the answer was a stop-gap using an overly simple regular expression to trigger a 403 response on match. Upgrade/Fix the forums already. vBulletin is at version 3.7.4 now. 3.0.5 is ancient history. I reported that to the forum administraotrs and i added an entry in the technical forum 3 weeks ago, see
http://forums.secondlife.com/showthread.php?p=2269088#post2269088 That can't be such a big deal, no ? I just wasted two hours because of this problem. On other VBulletin forums, I found that the UNIX relative directory characters (like dot-dot-slash) can also cause problems (and do on our forums as well). Many of the other VBulletin solution posts said "just keep trying, it will eventually work."
I sympathize with not wanting to spend time enhancing Or any solution that divulges any information regarding the source of the problem. Extra extra ugly, but how about add some text to the 403 Forbidden error that says "remove the words SELECT, UPDATE, and INSERT from your text, and any ../ as well." Please don't argue with my brainstorms because I know they're crap; I'd support any move in the direction of dispensing a useful diagnostic. This limitation is utterly insane. I just lost a detailed, helpful post that I was composing for an RA thread, almost certainly because of this stupid hack that the Lindens put into the Forums. I am NOT going to waste time re-writing that almost full-page of helpful information. I didn't know the "secret forbidden word pairs", and had no warning or explanation as to why the post was rejected.
Furious, and logging off now... Helpful tip:
If you "lose" a post, as Ceera described, simply hit the Back button in your browser. The full text of your post will still be there, assuming there are no RAM hiccups. Edit out the forbidden word combination(s), and then submit. It should go through just fine. It's also generally good practice to copy & paste any long post to a text editor like Notepad or Wordpad before submitting, even if it weren't for this issue. Internet hiccups happen all the time. There's nothing worse than spending an hour or more on a detailed post, and then having it disappear to a server error or packet loss or some other catastrophe. Keeping a working backup copy on your desktop is sensible when working with any Web platform, be it a forum, a contact ticket, or what have you. I hope that helps. The TOS is Forbidden!
Very amusing. While trying to respond to the "Shared Account" thread and quoting paragraph 2.3 of the TOS I kept getting a 403 Error message "Forbidden You don't have permission to access /newreply.php on this server." I was able to post my message only after I removed the quote of paragraph 2.3 of the TOS. I know there is betters way to avoid SQL injection in PHP and MySQL , but this way banning some words on post are not the best.
I hope this get fixed soon. "../" (dot dot slash) also does this.
I got knocked out by this old bug today and was assuming I was banned from posting. And I am certainly not very amused about it. As were many others before. Why is this issue still not fixed after a so long time with the fixes being available?!
Update your forum software ASAP please. Raised to Showstopper add
Update - Copy to our list of oh so fun words not to use in sequence (Code is another one I haven't been able to figure out, but it's part of one of the forbidden combo's) ok, this is BEYOND ridiculous now....
I can now no longer pint valid rotations in the scripting forums? (aparrently it thinks it's some kind of html attack as if "< href" wouldn't work just as well) try this one in fact ANYTHING with the format "<x" where x is a non-breaking character gets a lovely this type of SQL santization is pointless, if you MUST, insert dummy characters after keywords like a non-breaking space or heavens forbid one of the characters that scripts ignore like :?`@#$\ and seriously, html has already been disabled so WHY this particular sloppy hack is being used I have NO IDEA!!!?!? It also works if you place a single space before the first number in a rot or vector like so:
< 0,0,0> Edit: Never mind - I found the solution to this on Web 1179. (Not able to post on the forums.) The solution is - make sure your preferences are checked to Basic Editor.I
coco |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 |
|
Bug
Open
Showstopper
Http 403 FORBIDDEN response when posting to forums
forum software that will be replaced, but some fix is needed in the short term. Would it be possible to catch the 403 Forbidden exception earlier and display a page with a link to this bug? (heh heh, built in vote ballot box stuffing!)
select, from
update, set
insert, into
delete, from