Minecraft PC IP: play.cubecraft.net

Web [BUG] XSS image width

Rifyy

Rifyy

Well-Known Member
Aug 19, 2019
95
334
104
If you embed an image you can edit the style attribute and set the width to whatever you like. there is still a wrapper element for the displayed image so you cant make it bigger than default but you can make it smaller

upload_2020-5-16_23-46-53.png


I inserted the image element manually with element inspect too, might make a difference

I doubt this is the only XSS vulnerability, all events seem to be blocked by cloudflare (onclick etc) tho its not a very user friendly error

If I find more XSS vulns I'll post them here instead of making more threads if thats cool
 
Zed

Zed

Zedmin / Managing Director
Team CubeCraft
💙 Admin Team
Jul 11, 2015
243
2,930
308
Radcliffe, Manchester
twitter.com
This is just the bbcode attributes right?

I think this is intended behaviour (ie being able to control width) - Xenforo will strip out any disallowed attributes.

Bug is that you can cause statuses to overflow with this which isn't ideal.
 
Rifyy

Rifyy

Well-Known Member
Aug 19, 2019
95
334
104
Zed said:
This is just the bbcode attributes right?
Click to expand...
I dont know whether this is possible with BB codes, last time I really used BB codes is ~10 years ago when this certainly wasnt a thing you could usually do with them. I used element inspect and edited richt text editor input which is why I titled it XSS

Quick test to see whether its possible on the current forum too, never tested it here
iu


Source image is 1500px wide

Edit: doesnt seem to work here
 
Zed

Zed

Zedmin / Managing Director
Team CubeCraft
💙 Admin Team
Jul 11, 2015
243
2,930
308
Radcliffe, Manchester
twitter.com
Rifyy said:
I dont know whether this is possible with BB codes, last time I really used BB codes is ~10 years ago when this certainly wasnt a thing you could usually do with them. I used element inspect and edited richt text editor input which is why I titled it XSS

Quick test to see whether its possible on the current forum too, never tested it here
iu


Source image is 1500px wide

Edit: doesnt seem to work here
Click to expand...
width / height are allowed editable elements in the new BB code so I think you're just mutating the values - any other adjustments won't come through. If you inspect the network traffic you should see that sanitised BB code is sent back to the server not HTML.
 
Rifyy

Rifyy

Well-Known Member
Aug 19, 2019
95
334
104
Zed said:
you should see that sanitised BB code is sent back to the server not HTML.
Click to expand...
upload_2020-5-18_21-46-44.png

Sanitation doesn't seem to be working for me? Seeing the <p> text being sent to the server is what made me try messing around with image tags to begin with
 
You must log in or register to reply here.

Similar threads

꧁𝕃𝕩𝕜𝟝𝕫꧂
All Networks Natural Disasters Bundle - Suggestion
Replies
6
Views
680
LightningLord
LightningLord
solaris7068
Bedrock Make “Destroy the Core” Its Own Standalone Game Mode
Replies
12
Views
1K
Floraljackp14
Floraljackp14
اناناس تايم
Java (FIX PLZ) Why is EggWars balancing so broken?-JAVA
Replies
1
Views
720
Loskol
Loskol
PRO WINNAAR
All Networks The tape ban for drag clicking
Replies
64
Views
3K
Maximalizer
Maximalizer
Nex3us
Discover Vibrant Visuals – Minecraft’s Brand New Look!
Replies
7
Views
21K
Nex3us
Nex3us
Members Online

Team online

Members online

Total: 459 (members: 18, guests: 441)

Latest posts

Latest profile posts

LorilambtheWcubecraftian
LorilambtheWcubecraftian
I just saw England win the 2025 womens euro!
D42B0C8D-1FD6-4507-A82C-47C7710C96E3.jpeg
•••
rabidsyllabclip
rabidsyllabclip
Daily Clip: 27/07/2025:
https://imgur.com/a%2FXrUwTKn
•••
Tatsu
Tatsu
Why does “one more episode” always turn into four?
•••
ペッか♡
ペッか♡ wrote on caraMel's profile.
check out vocaloid
if you want to, check out vocastats' 1000 vocaloid songs vid
•••
ペッか♡
ペッか♡
I’m dying. I actually did it. I submitted fanfiction as homework. My teacher knows that I have a certain fondness for Transformers. I’m crying and dying inside. I just wanted to show my writing prowess. Please help.
•••

Share this page

Top Bottom