RsWebClients Posted January 10, 2021 Share Posted January 10, 2021 One of my members found an exploit being able to post unlimited chars on his profile fields https://runesuite.org/profile/6486-intervoid/?tab=field_core_pfield_1 im not sure if this is a invision problem or theme problem? Link to comment Share on other sites More sharing options...
Nathan Explosion Posted January 10, 2021 Share Posted January 10, 2021 Log a ticket with support. RsWebClients 1 Link to comment Share on other sites More sharing options...
CoffeeCake Posted January 10, 2021 Share Posted January 10, 2021 @bfarber Link to comment Share on other sites More sharing options...
CoffeeCake Posted January 10, 2021 Share Posted January 10, 2021 What type of field do you have defined? Is anything being exploited here? It seems that there is certainly an attempt at an exploit, or in making you think there is one from the presence of eval() in the submitted text, yet have they managed to exploit anything on your site? It seems they just saved a profile full of text, which if these are editor fields, are just like posts without limit. Link to comment Share on other sites More sharing options...
bfarber Posted January 11, 2021 Share Posted January 11, 2021 The "About Me" field is an editor field which uses a MEDIUMTEXT database field, meaning it can likely hold almost 16 million characters. This isn't an exploit (unless you have defined a maximum length for the field in the AdminCP which has been exceeded, although I wouldn't recommend doing so). What is the "exploit" specifically? I can't see any problem in your screenshot. If he just submitted a bunch of text to an editor field...that's not an exploit. You can post the same stuff there that you can post in a forum post basically. Link to comment Share on other sites More sharing options...
Recommended Posts