Tropes Media Browse Indexes Forums Videos Ask The Tropers Trope Finder Media Finder Trope Launch Pad Tech Wishlist Reviews Tools
Cut List New Edits Edit Reasons Launches Images List Crowner Activity Un-typed Pages Recent Page Type Changes Changelog
Tips
Creating New Redirects Cross Wicking Tips for Editing Text Formatting Rules Glossary Edit Reasons Handling Spoilers Word Cruft Administrivia FAQ
Tropes HQ
About Us Contact Us Advertise DMCA Notice Privacy Policy Report Bug
Go Ad-Free Changelog
  • Show Spoilers
  • Night Vision
  • Sticky Header
  • Highlight Links
 

Follow TV Tropes

Bugs

Go To

Your mama may have had eyes in the back of her head, but our admin team just can't see everything at once. It takes a village to make sure TVTropes is running the way it should, so when it comes to spotting tech snafus, dreaming up a better digital mousetrap, or just diagnosing plain old asshattery, the quicker you let us know something's up, the quicker we can address it. See a bug? Point to it and we'll squash it. Have idea for a new feature? Post in the Tech Wishlist.

NOTE: Do not post duplicate bug queries, please check existing queries to see if your issue has already been reported and then comment on it.

Submit a Bug

Submit a Bug:

Describe the bug or issue:

Make Private (For security bugs or stuff only for moderators)
frankye8998 Since: May, 2018
14th Jun, 2018 12:22:00 AM

closed
Security Issues

There are multiple security issues including XSS (persistent and reflected) and CSRF.

The following will trigger an alert box:

https://tvtropes.org/pmwiki/query.php?type=%22%3E%3Cscript%3Ealert()%3C/script%3E

https://tvtropes.org/pmwiki/pmwiki.php/WesternAnimation/%22%3E%3Cbody_onload=alert%28%27xss%27%29%3E (https://tvtropes.org/pmwiki/pmwiki.php/WesternAnimation/%22%3E%3Cbody_____onload_=___alert%28%27xss%27%29%3E)

https://tvtropes.org/pmwiki/article_history.php?article=%3Cscript%3Ealert()%3C/script%3E

Changing password to '<script>alert()</script>'. (also don't store passwords in plaintext (if you do))

Changing location to '<script>alert()</script>'.

Changing description to 'bracket /textarea bracket <script>alert()</script>'

Editing bug report with 'bracket /textarea bracket <script>alert()</script>'

Editing bug report with quote <script>alert()</script>

Submitting a bug with <body onload=alert()> as the title.

XSS isn't the only issue. A user's messages can be deleted if they click go to the following page: tvtropes (DOT) org/pmwiki/delpm.php?id=all&conf=1

SOLUTIONS:

- Whenever passing a query, sanitize it.

- Either add a CSRF token to forms or only accept certain referers. Note that the latter may not work do to adblockers.

For more information, please read the following:

https://en.wikipedia.org/wiki/Cross-site_scripting

https://en.wikipedia.org/wiki/Cross-site_request_forgery

Edited by frankye8998
71
frankye8998 Since: May, 2018
16th Jun, 2018 10:31:14 PM

This is kind of a big deal. Someone can break this page right now if they wanted to.

Edited by frankye8998
bwburke94 Since: May, 2014
20th Jun, 2018 08:47:37 AM

We're no strangers to looooove...

I had a dog-themed avatar before it was cool.
frankye8998 Since: May, 2018
26th Jun, 2018 06:59:12 PM

deleted

Edited by frankye8998
SeptimusHeap MOD (Edited uphill both ways)
27th Jun, 2018 12:40:14 AM

Reported the issue.

"For a successful technology, reality must take precedence over public relations, for Nature cannot be fooled." - Richard Feynman
  • Show Spoilers
  • Night Vision
  • Sticky Header
  • Wide Load

Important Links

Ask The Tropers Trope Finder Media Finder Trope Launch Pad Tech Wishlist Reviews Go Ad Free!
Crucial Browsing
Resources
Top