Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

HTML attachments on forums might be used for malicious purposes

I noticed that this forum allows uploads of HTML files, probably to allow users to share their Twine stories easily. However, these files are served directly from the twinery.org domain, and doesn't force the user to download them prior to usage. Thus, anyone can upload HTML and JavaScript that executes on the twinery.org origin, creating a file upload vulnerability.

I don't think this can be used to attack the forums directly, since the forum doesn't expose login information to JavaScript and doesn't allow itself to be framed in an iframe, but any HTML file attached to the forum can steal stories saved to the hosted copy of Twine 2 (https://twinery.org/2/) or present a fake forum login page to steal credentials (using history.replaceState to disguise the URL)

I believe that this issue should be addressed, either by adding a content-disposition header to force the browser to download the HTML file prior to displaying it or by moving uploaded files to a separate domain.

(also, why doesn't the forum use SSL by default?)

Comments

  • Hi, we use this plugin to manage file attachments. If you have suggestions on how to configure this to do what you're suggesting, I'd be happy to take a look.

    As for SSL-- this was only set up a few weeks ago, so I'd like to give it a tad more time before we do anything that affects everyone. I'm not sure enabling it sitewide is viable, because the homepage displays content from IFDB, which currently doesn't support SSL.
Sign In or Register to comment.