..:: AsmBB ::..: xss and RCE vulnerabilities found
<img src="https://board.asm32.info/images/title.svg" alt="Title img">
<h1>AsmBB is ultrafast web forum, written entirely in assembly language. This site is the official support development forum and demo/test installation.</h1>
tag:board.asm32.info,2018-03-06:Thread2932020-03-19T01:49:41Zganuonglachanh on xss and RCE vulnerabilities foundtag:board.asm32.info,2018-03-06:Post160612020-03-19T01:49:41Z
<p>Thank you johnfound
</p>
<p>Great as always be <img class="inline" src="/templates/Urban+Sunrise/_images/emoticons/smile.gif" alt=":-)" /> </p>
ganuonglachanh johnfound on xss and RCE vulnerabilities foundtag:board.asm32.info,2018-03-06:Post160602020-03-18T19:04:34Z
<p>Alter some great help of ganuonglachanh, the working test cases has been found and the working fix was submit to the repositories.
</p>
<p>Notice, that the fixes are both in AsmBB and in FreshLib. So latest version should be fetched. Some minor bugs has been fixed as well.
</p>
<p>The BBCode parser will be fixed very soon as well. The fix is working, but it is pretty complex, so some bugs are possible.</p>
johnfoundjohnfound on xss and RCE vulnerabilities foundtag:board.asm32.info,2018-03-06:Post160542020-03-15T17:05:33Z
<blockquote><header>ganuonglachanh</header><p>While looking for a "fix" of this error, I realize that AsmBB use HttpOnly cookie, so <strong>JS can't access our session cookie</strong>, event the <strong>xss</strong> vulnerable exist.
</p>
<p>More on this: <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#Secure_and_HttpOnly_cookies">https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#Secure_and_HttpOnly_cookies</a>
</p>
<p>But anyway, should we add a filter function to our post content, to clear xss, auto remove spam link...
</p>
<p>Just my 2 cents <img class="inline" src="/templates/Urban+Sunrise/_images/emoticons/smile.gif" alt=":-)" />
</p></blockquote>
<p>Well, I still can't reproduce this XSS at all... My hypotesis is that ATMOS used some very old and buggy version of AsmBB. But he is not posting anymore...
</p>
<p>And my idea is that the user content should not be filtered. The vulnerabilities and bugs should be searched and fixed.
</p>
<p>P.S. If you can reproduce this XSS/RCE, please post some working test case here. </p>
johnfoundganuonglachanh on xss and RCE vulnerabilities foundtag:board.asm32.info,2018-03-06:Post160532020-03-15T16:11:14Z
<p>While looking for a "fix" of this error, I realize that AsmBB use HttpOnly cookie, so <strong>JS can't access our session cookie</strong>, event the <strong>xss</strong> vulnerable exist.
</p>
<p>More on this: <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#Secure_and_HttpOnly_cookies">https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#Secure_and_HttpOnly_cookies</a>
</p>
<p>But anyway, should we add a filter function to our post content, to clear xss, auto remove spam link...
</p>
<p>Just my 2 cents <img class="inline" src="/templates/Urban+Sunrise/_images/emoticons/smile.gif" alt=":-)" /> </p>
ganuonglachanh johnfound on xss and RCE vulnerabilities foundtag:board.asm32.info,2018-03-06:Post159812019-11-04T06:47:36Z
<p>Hm... As a rule, XSS are possible. But I can't reproduce these.
Please, provide some code samples. Post directly here - it is OK if the code is non-destructive.</p>
johnfoundganuonglachanh on xss and RCE vulnerabilities foundtag:board.asm32.info,2018-03-06:Post159802019-11-04T05:01:05Z
<p>Thanks for the report, I'm sure John"found" a fix <img class="inline" src="/templates/Urban+Sunrise/_images/emoticons/wink.gif" alt=";-)" /> </p>
ganuonglachanh A T M O S on xss and RCE vulnerabilities foundtag:board.asm32.info,2018-03-06:Post159792019-11-03T05:29:08Z
<p>Pretty much all input are currently vulnerable, you should really audit a bit more before pushing updates. We will continues to fuzz it
</p>
<p>xss vuln
<img class="block" src="https://openintents.modular.im/_matrix/media/r0/download/hotline.blin.gg/xFuGjEpWsnLzlOkTsAcEHoDh" alt="My picture" /> Hey, we did found some xss which can be triggered on various href
</p>
<p><del></del>-
Edit we also found a RCE for Edge user
also can RCE edge users
with URI's
like calculator://aaa
yahoo.com one
</p>
<p><img class="block" src="" alt="My picture" />
</p>
<p>another xss in user profile
<img class="block" src="" alt="My picture" />
</p>
<p><img class="block" src="https://openintents.modular.im/_matrix/media/r0/download/hotline.blin.gg/eYobMDDfeUqtjezwMnxLEMRT" alt="My picture" /> </p>
A T M O S