EchoingRuby
Well-known member
- Joined
- Mar 25, 2020
- Messages
- 32
- Points
- 58
It's possible for users to embed arbitrary images in comments. Here's a code snippet that I've verified works on my own user profile page (most of this was just copied from SH's code):
You can see this live on my profile page.
This allows malicious actors to do one or more of the following:
JavaScript:
function postComment (message)
{
var i = $("#authorid").val();
$(".profile_error_msg").text("");
var r = $("#isauthorchk").val();
$("#profile_message_main").prop("disabled", !0),
$.ajax({
type: "POST",
url: "https://www.scribblehub.com/wp-admin/admin-ajax.php",
data: {
action: "wi_postnewmsg",
mypostmsg: message,
intAuthorID: i,
chkAuthorStatus: r
},
success: function(e) {
e = e.slice(0, -1);
var i = jQuery.parseJSON(e)
, e = i.error
, i = i.profiledata;
$("#profile_message_main").prop("disabled", !1),
0 < e.length ? ($(".profile_error_msg").text(e),
$("#my_popuperror").popup("show")) : ($(i).hide().prependTo(".p_messages").fadeIn("slow"),
$("#comment_placeholder").html(""),
in_comment_start_profile(),
recall_spoiler_edited(),
checkresize())
}
})
}
postComment('hello <img src="https://upload.wikimedia.org/wikipedia/commons/0/05/Territorial_organization_of_European_countries.svg" />');
You can see this live on my profile page.
This allows malicious actors to do one or more of the following:
- IP address leaks (for things like location tracking)
- Large processor-intensive images bringing CPU speed to a crawl
- Insertion of things that look like advertisements for things that ScribbleHub may not wish to be associated with