Hello,

I've tried a few browsers and most of the functions of the forum.
Opera web browser doesn't seems to be compatible with the software...?
The menu with the   B  I  U   ABC   etc in it, isn't showing up (code buttons yes, but those below not).
Also when submitting a post, the software seems to freeze...

Another little problem i've noticed, is with the skins...
Iff an user selects a skin with "Skin Selection", and the admin deletes the skin later, the user isn't able to get back on the forum with his account...

Greetz

A  screenshot of opera with the missing bar and where it freezes:
(sorry for its size...)

My cousin is kind of a geek, shows me this: 

http://www.geilepraat.be/?do=handlemsg&act=msg&MessageRecipient="><marquee>This%20page%20could%20be%20hacked</marquee>

http://www.geilepraat.be/?do=main&action=notifier&level=2&first=0 

The first example is just messing with the browser, nothing special...
The second example is pretty risky, not?  

My cousin tells me that someone who's good in SQL could inject whatever he wants in the database. 

None of these actions gives a notification in the log...
I guess you guys knew this already but I  mention it anyway... 

Greetz

When I turn of the board, I get the message that i've written in "modules on-off"
Ok.... but in the chatbox, I see alsoo the forum with the message...?

So iff I write something in the chatbox inside the chatbox... I get another forum in the second chatbox, so now have three chatboxes... lolz
 

When monitoring the memberlist, and pointing the cursor over the admins name, the name Chris F R appears...
How do we change that..?

In internet explorer 7 i'm missing a scroll bar in the acp...
Alsoo i have some problems when i click on the topics... still, on this forum i don't have this problem so probably a settings error of me...
 

Burning Ice wrote:

My cousin is kind of a geek, shows me this:  http://www.geilepraat.be/?do=handlemsg&act=msg&MessageRecipient="><marquee>This%20page%20could%20be%20hacked</marquee> http://www.geilepraat.be/?do=main&action=notifier&level=2&first=0  The first example is just messing with the browser, nothing special... The second example is pretty risky, not?   My cousin tells me that someone who's good in SQL could inject whatever he wants in the database.

Thanks for the report. Your cousin is right that it is important to keep an eye out for xss and sql injections. We are always interested in finding potential vulnerabilities, which is a lot of work on a program the size of nBBS.

Now, regarding both examples:

1. This could be construed as an example of xss injection. However since you're only displaying the marquee to yourself, it does not qualify.
2. This one looks scary because there's an SQL error. It looks a bit messy, due to the fact that level 2 does not contain messages and we end up using -1 as offset. We can add a test and make sure that it's always 0 or positive.
   This is not the same as an arbitrary SQL injection, however: nothing is injected here, you are simply using an existing feature.

Cheers,

-C.

Burning Ice wrote:

When I turn of the board, I get the message that i've written in "modules on-off" Ok.... but in the chatbox, I see alsoo the forum with the message...?   So iff I write something in the chatbox inside the chatbox... I get another forum in the second chatbox, so now have three chatboxes... lolz

Ha! That, my friend, is what we call "a bug"

chris wrote:

Burning Ice wrote: When I turn of the board, I get the message that i've written in "modules on-off" Ok.... but in the chatbox, I see alsoo the forum with the message...?   So iff I write something in the chatbox inside the chatbox... I get another forum in the second chatbox, so now have three chatboxes... lolz   Ha! That, my friend, is what we call "a bug"

Any idea what causes this? I am having the same issue with the latest from sourceforge 0.50 runing on CentOS 5.

Thanks