WordPress.org

Ready to get started?Download WordPress

Forums

Strip or forbid Javascript in comments (5 posts)

  1. paulzag
    Member
    Posted 9 years ago #

    A friend's WP blog got slashdotted. Not fun at all: 10GB of traffic in 4 days, 95585 unique visitors. All of them kicking tyres and trying to be smart.

    One of these clever sheep placed a javascript endless loop in his comment. The only way out is to kill your browser process, this exploit works under ie, firefox and opera, for windows. I could try the same here but it wouldn't be polite.

    How do I strip or disable javascript for comments. Specifically onmouseover events? I just replicated the exact problem in a comment on my 1.5.1.2 blog.

  2. Denis de Bernardy
    Member
    Posted 9 years ago #

    normally, this is built-in. wp only allows a limited set of tags. then again, various tricks once allowed to bypass php's strip_tags function, e.g. <scr<script>ipt>. was any dirty trick used?

  3. paulzag
    Member
    Posted 9 years ago #

    I'm not sure if my friend kept the source or just deleted the post...

    I just did a test comment to my blog and without any dirty tricks. I just created an anchor with a onmouseover event. The endless loop activated.

    So how do we strip or stop an onmouseover exploit?

  4. paulzag
    Member
    Posted 9 years ago #

    Given there isn't a lot response here I'll illustrate the exploit. I think bbPress should strip it out the greater thans.

    <a onmouseover="for(;;)alert('endless loop exploit Traps IE, Firefox and Opera.');"
    href="http://wordpress.org/support/topic/37004" name="exploit">Onmouseover
    exploit: kills IE, Firefox and Opera if you mouseover with javascript enabled. You've been warned.

    <a onmouseover="for(;;)alert('endless loop exploit Traps IE, Firefox and Opera.');"
    href="http://wordpress.org/support/topic/37004" name="exploit">Onmouseover
    exploit:</a> kills IE, Firefox and Opera if you mouseover with javascript
    enabled. You've been warned.

  5. paulzag
    Member
    Posted 9 years ago #

    Aha! so how is bbPress smart enough to change < to < in the onmouseover link.

    Or am I doing something wrong in creating the link code?

    Here is the link without the onmouseover payload

    No Onmouseover
    Payload

    Below is with the payload. (If it's a link DON'T mouseover).

    <a onmouseover="for(;;)alert('endless loop exploit!');"
    href="http://wordpress.org/support/topic/37004">Onmouseover
    exploit:

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags