[BUG REPORT] ...Possible security hole?

  • 1 Replies
  • 10169 Views
neptun's Avatar

neptun

[BUG REPORT] ...Possible security hole?
« on: March 03, 2017, 09:51:45 pm »
So, I posted this (every character between the quotes):

"                 /,   ,|   ,|
             /| /(  ,' / ,//
          \`( |/ /,'  (,/ |
           \ \ ` `   `  /--,
         _,_\ `  ` `  ``  /__
          '-.____________`  /
            [  \@,    :] `--,-..-
            [__________]__,'-._/
             )'o\ ' o) \/ )
             \  /   __  ./
              \=`   ==,\..
               \ -. `,' (333
               3`--''    \33.
             ,333_) /mm33333:.
            |:#:mmmmmm333333::
            |:#:333333333::##'
            ':#:ctr3333''#####\
             |:#:#\###########\
             |:#:##\###########\
             |:#:###\########|#\
             /:#:|:::\|::::::|:(
             ):#:|::::\::::::|:/
            /:#;/:::::<::::::|("

into the 'Website Title' text box on my profile's editor and got a 403 error page. Specifically:

"Forbidden

You don't have permission to access /forum/index.php on this server.

Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request."

Whether or not javascript was enabled did not make a difference.
This occurred when posting the same thing into the 'Website Url' text box as well.

While I realize this may be nothing, I know it at least means that your server is *not* simply cutting the end off of the string I gave it, and setting the remaining characters to my profile's website's title/URL.

Re: [BUG REPORT] ...Possible security hole?
« Reply #1 on: March 09, 2017, 01:56:03 am »
I trimmed the payload you posted here and figured out that the third line is what's triggering the 403.

I was able to create a MWE: "(|("

This string, pasted (without quotes) into that field, will cause a 403.

RACHEL TIPPED 25 CORAL FOR THIS POST