XSS problem at plime.com

[tgkprog]

i use plime a lot. when i try to upload an image last 5-6 days NoScript blocks the sister site viary - saying there is a possible XSS attack. am not sure how to put it on the white list. also this might be a test case for you when its not a XSS attack! i upload and crop the image (yeah upload a rectangular image so the crop tool comes up).

FYI see this on http://www.plime.com when u want to submit a new story.

[Grumpy Old Lady]

Ah, I got sucked in there.
I registered to test and found that uploading is filtered for new registrants. Looks like it's another Worth startup.
Care to post screenshots of your upload procedure here? - - eh eh, we don't require longtime membership for that here :-)
What messages in Tools|Error Console with [NoScript XSS] in them are you seeing?

[therube]

I wasn't making sense out that site either.
What is a "Worth startup"?

[Grumpy Old Lady]

I wasn't making sense out that site either.
What is a "Worth startup"?

I'm not sure if 'startup' is the correct jargon - maybe a 'new site' is better description
http://en.wikipedia.org/wiki/Worth1000
Highly moderated photoshop "communities".

[tgkprog]

http://picasaweb.google.com/Tushar.Kapila/NoScript# can see two screen captures there.

now what was the reason to make the comments? on that site once you give enough news entries you do not have to enter a captcha every time and they have a lot of spam.

anyway hope you can tell me how to fix this XSS issue or automatically trust a site which I have trusted for scripts ...

[Grumpy Old Lady]

Quoth tgkprog:

now what was the reason to make the comments? on that site once you give enough news entries you do not have to enter a captcha every time and they have a lot of spam.

That's what "heavily moderated" was indicating, in part, - - and it was a lot more complicated that just filling in captchas to try to replicate your problem, so ...
thanks for the screenshots.
I'm not XSS 'perienced, so I'm sure Giorgio or a power user will be along to advise you soon.
No messages in Tools|Error Console with [NoScript XSS] then?

[tgkprog]

Ok will try

[Giorgio Maone]

I tried to replicate your post in the screenshot using the credentials you kindly provided me with.
I had both plime.com and viary.com whitelisted like you (it's required).
I received no XSS warning and the post was correctly sent, as you can verify (I did not delete it yet).

Could you please check if your problem persists with 1.9.8.7?

If it does, please try adding the following line to your NoScript Options|Advanced|XSS exceptions list:

Code: Select all

^@http://rookery\.viary\.com/

This will enable rookery.viary.com to send out seemingly XSS data skipping NoScript's checks.
You want to hope they don't get hacked by someone which then can use this bypass as a bridge, but on the other hand making http://www.plime.com itself an unchecked target (the other option) is not viable: look at the XSS vulnerability [link edited out while pime.com's admins are fixing their hole] I've found there in less than 1 minute

[tgkprog]

wow ty for quick resolution, I passed on your message to the site owner up to him to look into that. I fixed my No Script. When I get my next cheque I will make a small donation - your tool is very useful

[tgkprog]

Giorgio I have sent the html code to the site admins. can you please edit out that sentence? no point advertising it till he fixes it

[Giorgio Maone]

XSS POC link edited out.

[tgkprog]

upgrading version did not help but adding the line you gave to the options did. the image should be of a non square size so the crop tool is activated

also i see the same issue at face book like at http://apps.facebook.com/lilfarmlife/home.php
when i want to publish to my profile when 'crops are ready ' etc

what line do i need to trust this site and say an arbitary content provider like

http://static.ak.fbcdn.net/js/api_lib/v ... der.js.php

http://lilgreenpatch.com/fb/farm/farmswf.php

[Giorgio Maone]

also i see the same issue at face book like at http://apps.facebook.com/lilfarmlife/home.php
when i want to publish to my profile when 'crops are ready ' etc

what line do i need to trust this site and say an arbitary content provider like

It's hard to tell without seeing the [NoScript XSS] lines you get in Tools|Error Console when you've got troubles.

[tgkprog]

also i see the same issue at face book like at http://apps.facebook.com/lilfarmlife/home.php
when i want to publish to my profile when 'crops are ready ' etc

it works after i add it to the advanced white list like you suggested for plime

only the interface needs to be better

i'm an app developer and i found this tuff

i went to the advanced screen and i thought it was like browsers - need to add the line to the single line text box - where it says
"Pattern Matching Sample" and text box has value "http://www.google.com/search?q=test"

but I see that is some test thing?

and that we need to add the exception directly to the big text area on top. dangerous cause a user can edit other entries without meaning too.

more useful if the XSS warning box had a check box to add the exception to the white list if we click allow ... can confirm the chice by another msg box - but this is really difficult to do!

* Let me know if you need me to clarify things or take a few screen shots to make things clear