Jump to content

Member using bug to bypass word-filter


BlowingWind

Recommended Posts

1. We setup word filter to prevent Members advertising spam on our forum.
Sensitive words (eg xxx club ) are word-filter for moderator's approval.

2. Recently a wave of new Members managed to bypass the "word-filter" using in-place Title Edit Title.

3. How they did it:

i. Post a NEW topic Titled: "Hello World". Successfully posted !
ii. Click to view topic, then Inplace-Edit the Topic Title to "xxx club" which is supposed to be word-filter.
(Left hold mouse button on Title)
iii. It seems the Inplace-Edit of Topic Title did NOT invoke word-filter check.
Note that bypass will NOT work if they click edit and change topic title via the edit box.

4. Appreciate someone advise a fix as spammers are now having a field day.

Thanks

 

 

Link to comment
Share on other sites

As an immediate fix, make sure to review and / or escalate your registration security including: 

1. Changing your Q&A security questions

2. Ensuring your IPS Spam Defense service is active with your license.  

3. Remove the edit functions from the membergroup permissions as a temporary stopgap.  

Link to comment
Share on other sites

  • 2 weeks later...
On 8/21/2019 at 11:34 PM, Daniel F said:

We have fixed this for an upcoming release:)

@Daniel F

1. I just UPGRADED to 4.4.6 hoping it will stop the spammers.
I noticed the spammers try / error. They managed to bypass the "Word Filter" in Topic Title again 😞

2. I believed they used the In-Place Edit of Title in "Topic Listing".
ie In Topic Listing of the forum, they left click on a "HelloWorld" Topic created by themselves earlier.
Left click on a Topic Title and changed to "XXX Club".  "XXX" in my word filter is bypassed.
This also does NOT call "Word Filter".

 

Link to comment
Share on other sites

3 hours ago, BlowingWind said:

@Daniel F

1. I just UPGRADED to 4.4.6 hoping it will stop the spammers.
I noticed the spammers try / error. They managed to bypass the "Word Filter" in Topic Title again 😞

2. I believed they used the In-Place Edit of Title in "Topic Listing".
ie In Topic Listing of the forum, they left click on a "HelloWorld" Topic created by themselves earlier.
Left click on a Topic Title and changed to "XXX Club".  "XXX" in my word filter is bypassed.
This also does NOT call "Word Filter".

 

Daniel's reply came two days after the release of 4.4.6. This will most likely have to wait till 4.4.7.

Link to comment
Share on other sites

1. I digged inside my web logs and found perhaps other ways they were bypass the word filter.  I am on IPB 4.4.6 (latest as at now).

There are many of the lines as the spammers posted multiple spams,
but I just extract one line for illustration: Notice the escape % in the URL.

<IP redacted> - [01/Sep/2019:02:34:03 +0800] "POST /forum/topic/104288-s%D0%B5x-%D1%81lub/?do=edit HTTP/2.0" 301 0 "https://<URL-redacted>/forum/topic/104288-s%D0%B5x-%D1%81lub/?do=edit" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0"

 

2. I noticed they seem to be using URL "special escape characters" to "bypass" the Topic edit.
The post is a  spam with title "Sex Club", all "English" ASCII, so there was no need to use escape / special characters.

 

 

 

Link to comment
Share on other sites

I found another way to bypass Word Filter. At least work on 4.4.6 on my forum.

 

a. In an existing topic, post a reply with just a dot ie "." Save.

b. Then Edit the post and paste in a message including the "filtered word" eg Please come to XXX Club. (where XXX is banned filter word).
For some reason, word filter is NOT invoked.

 

 

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...