Invision Community 4: SEO, prepare for v5 and dormant account notifications By Matt Monday at 02:04 PM
BlowingWind Posted August 20, 2019 Posted August 20, 2019 1. We setup word filter to prevent Members advertising spam on our forum. Sensitive words (eg xxx club ) are word-filter for moderator's approval. 2. Recently a wave of new Members managed to bypass the "word-filter" using in-place Title Edit Title. 3. How they did it: i. Post a NEW topic Titled: "Hello World". Successfully posted ! ii. Click to view topic, then Inplace-Edit the Topic Title to "xxx club" which is supposed to be word-filter. (Left hold mouse button on Title) iii. It seems the Inplace-Edit of Topic Title did NOT invoke word-filter check. Note that bypass will NOT work if they click edit and change topic title via the edit box. 4. Appreciate someone advise a fix as spammers are now having a field day. Thanks
Martin A. Posted August 20, 2019 Posted August 20, 2019 I hope you submitted this as a ticket too, otherwise it may take some time for the developers to be aware of this issue.
Daniel F Posted August 20, 2019 Posted August 20, 2019 I have reported this to our internal bug tracker
Joel R Posted August 20, 2019 Posted August 20, 2019 As an immediate fix, make sure to review and / or escalate your registration security including: 1. Changing your Q&A security questions 2. Ensuring your IPS Spam Defense service is active with your license. 3. Remove the edit functions from the membergroup permissions as a temporary stopgap.
BlowingWind Posted August 21, 2019 Author Posted August 21, 2019 17 hours ago, Joel R said: 3. Remove the edit functions from the membergroup permissions as a temporary stopgap. Can advise how to do (3) above. I cannot find in Admin Group Member permission to DISABLE Edit Topic Title. Thanks in advance.
BlowingWind Posted August 30, 2019 Author Posted August 30, 2019 On 8/21/2019 at 11:34 PM, Daniel F said: We have fixed this for an upcoming release:) 1. Glad to hear that. I just created a support ticket to get the fix. 2. The spammers took a "holiday" and are back nightly :-( Thanks.
BlowingWind Posted September 1, 2019 Author Posted September 1, 2019 On 8/21/2019 at 11:34 PM, Daniel F said: We have fixed this for an upcoming release:) @Daniel F 1. I just UPGRADED to 4.4.6 hoping it will stop the spammers. I noticed the spammers try / error. They managed to bypass the "Word Filter" in Topic Title again 😞 2. I believed they used the In-Place Edit of Title in "Topic Listing". ie In Topic Listing of the forum, they left click on a "HelloWorld" Topic created by themselves earlier. Left click on a Topic Title and changed to "XXX Club". "XXX" in my word filter is bypassed. This also does NOT call "Word Filter".
Martin A. Posted September 1, 2019 Posted September 1, 2019 3 hours ago, BlowingWind said: @Daniel F 1. I just UPGRADED to 4.4.6 hoping it will stop the spammers. I noticed the spammers try / error. They managed to bypass the "Word Filter" in Topic Title again 😞 2. I believed they used the In-Place Edit of Title in "Topic Listing". ie In Topic Listing of the forum, they left click on a "HelloWorld" Topic created by themselves earlier. Left click on a Topic Title and changed to "XXX Club". "XXX" in my word filter is bypassed. This also does NOT call "Word Filter". Daniel's reply came two days after the release of 4.4.6. This will most likely have to wait till 4.4.7.
BlowingWind Posted September 1, 2019 Author Posted September 1, 2019 1. I digged inside my web logs and found perhaps other ways they were bypass the word filter. I am on IPB 4.4.6 (latest as at now). There are many of the lines as the spammers posted multiple spams, but I just extract one line for illustration: Notice the escape % in the URL. <IP redacted> - [01/Sep/2019:02:34:03 +0800] "POST /forum/topic/104288-s%D0%B5x-%D1%81lub/?do=edit HTTP/2.0" 301 0 "https://<URL-redacted>/forum/topic/104288-s%D0%B5x-%D1%81lub/?do=edit" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0" 2. I noticed they seem to be using URL "special escape characters" to "bypass" the Topic edit. The post is a spam with title "Sex Club", all "English" ASCII, so there was no need to use escape / special characters.
Daniel F Posted September 1, 2019 Posted September 1, 2019 Yea, the fix wasn’t included in the recent release! I’ll see if we can provide a patch for this, if not, it will be included in the next official release.
BlowingWind Posted September 4, 2019 Author Posted September 4, 2019 I found another way to bypass Word Filter. At least work on 4.4.6 on my forum. a. In an existing topic, post a reply with just a dot ie "." Save. b. Then Edit the post and paste in a message including the "filtered word" eg Please come to XXX Club. (where XXX is banned filter word). For some reason, word filter is NOT invoked.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.