Gossamer Forum
Home : Products : Gossamer Forum : Discussion :

url escaping bug

Quote Reply
url escaping bug
Take a look at this...

http://images.google.com/...er-threads.com+links

The last part... the +links gets converted to _links by GForum which makes the URL unworkable. Why is that? Is this a bug?

And secondly, why does the forum insist on this rediect business, why not just print the URLs as is? Why do all urls and mailtos have to go through the gforum redirect?

- wil
Quote Reply
Re: [Wil] url escaping bug In reply to
Now this is interesting.. It doesn't do it in the post above, but when I try and have some text with the link it does.

same link but with text description

- wil
Quote Reply
Re: [Wil] url escaping bug In reply to
So the bug only appears when a description is posted with the URL. Interesting.

And secondly can it be an option to turn off the URL redirects, and just post the URL as-is? I think this is an unneccessary load on the server?

- wil
Quote Reply
Re: [Wil] url escaping bug In reply to
It isn't the _link and +link, it is the bug mentioned by Andy. There is an & in the second url.
Quote Reply
Re: [RedRum] url escaping bug In reply to
Yeah, but what's bugging me is the need for it at all. Surely this is just extra overheads?

- wil
Quote Reply
Re: [Wil] url escaping bug In reply to
Its annoying me, cos none of the links in my sig work now Frown

Andy (mod)
andy@ultranerds.co.uk
Want to give me something back for my help? Please see my Amazon Wish List
GLinks ULTRA Package | GLinks ULTRA Package PRO
Links SQL Plugins | Website Design and SEO | UltraNerds | ULTRAGLobals Plugin | Pre-Made Template Sets | FREE GLinks Plugins!
Quote Reply
Re: [AndyNewby] url escaping bug In reply to
They do, as the redirect has been taken off :-)

- wil
Quote Reply
Re: [Wil] url escaping bug In reply to
No they don't...not for me at least. There are still &amp's in the URL's

Last edited by:

RedRum: Mar 11, 2002, 5:38 AM
Quote Reply
Re: [RedRum] url escaping bug In reply to
Oh yeah, but the redirect has gone.

- wil
Quote Reply
Re: [Wil] url escaping bug In reply to
Erm, no it hasn't. Still goes through as http://www.gossamer-threads.com/perl/gforum/gforum.cgi?url=http%3A%2F%2Fwww.wiredon.net%2Fgossamer%2Finstall.shtml for example ;)

Andy (mod)
andy@ultranerds.co.uk
Want to give me something back for my help? Please see my Amazon Wish List
GLinks ULTRA Package | GLinks ULTRA Package PRO
Links SQL Plugins | Website Design and SEO | UltraNerds | ULTRAGLobals Plugin | Pre-Made Template Sets | FREE GLinks Plugins!
Quote Reply
Re: [AndyNewby] url escaping bug In reply to
Not in your sig though.
Quote Reply
Re: [RedRum] url escaping bug In reply to
No, no...

If you provide a description with your URL, i.e.

[url "url"] something here [/url]

then the URL will be posted direct.

If you don't provide a description and just do:

[url]url[/url]

then the URL will go through the forum redirect thingy.

For some... strange... reason ?

- wil
Quote Reply
Re: [Wil] url escaping bug In reply to
Yeah, even with a description it gets screwed though Wink

http://www.ace-installer.com/modules.php?op=modload&name=NS-Pages&file=links

Note the &amp in there ;) I see what you are saying, but for some reason it still is screwing up my &'s in the URL :(

Andy (mod)
andy@ultranerds.co.uk
Want to give me something back for my help? Please see my Amazon Wish List
GLinks ULTRA Package | GLinks ULTRA Package PRO
Links SQL Plugins | Website Design and SEO | UltraNerds | ULTRAGLobals Plugin | Pre-Made Template Sets | FREE GLinks Plugins!
Quote Reply
Re: [AndyNewby] url escaping bug In reply to
Oh yeah. Sorry, I ws on about the redirect and didn't pick up on your ampersands.

- wil
Quote Reply
Re: [Wil] url escaping bug In reply to
This is fixed now.

The redirect is to protect people who are using the query-based authentication. If we were to link directly, someone could post a link "Click here" which takes you to some CGI on their homepage which looks for session ID numbers, and then using that they gain access to your account and change your password and e-mail, essentially stealing your account.

Jason Rhinelander
Gossamer Threads
jason@gossamer-threads.com
Quote Reply
Re: [jagerman] url escaping bug In reply to
In Reply To:
The redirect is to protect people who are using the query-based authentication. If we were to link directly, someone could post a link "Click here" which takes you to some CGI on their homepage which looks for session ID numbers, and then using that they gain access to your account and change your password and e-mail, essentially stealing your account.

Hm, how would someone go about this?

Surely this would render 95% of the web forums out there insecure? Or is this specific to GTForum?

- wil

Last edited by:

Wil: Mar 13, 2002, 1:50 AM
Quote Reply
Re: [Wil] url escaping bug In reply to
If you're not using cookies, you'll have a session id in the URL. If you don't redirect, this URL whole url (along with your session id) will be passed to the linked webserver as the referrer. If I put a link on the forum to a cgi which just logged the referrer, then I could log into your account using the referrer url (as long as that session id hadn't expired). You can kind of prevent this by also keeping track of their ip along with the session, but then there's instances where people are behing a proxy, etc and their ip's are the same.
This is the case for pretty much any web application which uses session id's in the url. Adding redirection totally prevents this. Adding the IP check prevents it for ~95% of the cases. And at that, it can only happen if you're not using cookies, but URL sessions.

Adrian
Quote Reply
Re: [brewt] url escaping bug In reply to
Ah, right.

I suppose not a lot of forums support session ids for registered members - only for guests?

- wil
Quote Reply
Re: [Wil] url escaping bug In reply to
We had a few people clamoring about having to use cookies for the old forum (WWWThreads), which is why we decided to support URL-based session ID's.

Guest ID's with GForum are only URL based - however gaining access to a guest ID doesn't give you anything.

Jason Rhinelander
Gossamer Threads
jason@gossamer-threads.com
Quote Reply
Re: [jagerman] url escaping bug In reply to
Still, how can someone get access to someone's account knowing their session ID? Surely the session must still be active? And they timeout after x amount of minutes, so the hacker would need to move quick? But then ... surely there are provisions in place for multiple logins from different IP addresses either simaltenously or within x period of each other ?

- wil
Quote Reply
Re: [Wil] url escaping bug In reply to
Using a session ID doesn't work as a login - you get a session ID _when_ you log in. We can't restrict a session by IP - suppose someone is using a dialup connection (Pirate) and is disconnected and reconnects - they will have a completely different IP, but they shouldn't be logged out because of it.

To illustrate the bug, I would make a link like this:

env.cgi

Now, when you click that link, I have the env.cgi script record $ENV{HTTP_REFERER} and e-mail me. So, I move when I receive the e-mail (sessions expire after 1 hour of inactivity) and go to http://www.gossamer-threads.com/cgi-bin/gforum/gforum.cgi?session=abc...

Now I see: "Welcome, Wil", I go to the profile, change your password and e-mail address to my own, and presto - I stole your account.

Jason Rhinelander
Gossamer Threads
jason@gossamer-threads.com
Quote Reply
Re: [jagerman] url escaping bug In reply to
So... what does the redirect thing do out of all this? Restrict your HTTP_REFERRER from being passed on, I take it?

Hm, what happens when people (unwittingly) post a link to a message or something on another webpage with their session ID still attached to it?

Why not just make a check for IP address? I would think that it's reasonable for you to log in again if you got disconnected.

If I'm not mistaken; slashdot does this and perlmonks.org - right?

- wil

Last edited by:

Wil: Mar 13, 2002, 9:43 AM
Quote Reply
Re: [Wil] url escaping bug In reply to
Quote:
Why not just make a check for IP address? I would think that it's reasonable for you to log in again if you got disconnected.


A lot of proxy servers will give you different IP's each request. I believe some AOL accounts work like this, as well as some cable providers. They basically load balance the proxy server, so who you appear as each request can change.

Cheers,

Alex
--
Gossamer Threads Inc.
Quote Reply
Re: [Alex] url escaping bug In reply to
Aha. That's a fair point. That would be very irratating having to login at every request to the forum.

I must try this out. I've always logged in with my cookies. What's the advantage/disadvantage may I ask?

- wil
Quote Reply
Re: [Alex] url escaping bug In reply to
One more thing on this subject; can the URL redirect be turned off for users who login with cookies enabled and/or guests?

- wil