Author Topic: Report Website related bugs/issues here  (Read 3210 times)

AvikB

  • Hero Member
  • *****
  • Posts: 732
AvikB, i've noticed that tag [size=" 1"] works fine for me, but tag [size=" 2"] just doesn't change anything at all. haven't tried other text sizes.
[/size][/size]
will look into it

psychoadept

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 6267
The way certain buttons only show up on mouseover is okay for the desktop version of the site, where the mouse is naturally going to cause that to happen.  But on the mobile version, it really looks like the buttons don't exist.  You have to actually click on a post to make them appear.  Is there any hope of fixing this?

Once I got used to this, I thought maybe it's not so bad... But then I discovered that the buttons are active even when they're not visible.  That's a bigger problem!
MusicBee Wiki
Use & improve MusicBee's documentation!

Latest beta patch (3.1)
(Unzip and overwrite existing program files)

AvikB

  • Hero Member
  • *****
  • Posts: 732
The way certain buttons only show up on mouseover is okay for the desktop version of the site, where the mouse is naturally going to cause that to happen. But on the mobile version, it really looks like the buttons don't exist. You have to actually click on a post to make them appear. Is there any hope of fixing this?
Once I got used to this, I thought maybe it's not so bad... But then I discovered that the buttons are active even when they're not visible. That's a bigger problem!
What do you mean by active?

psychoadept

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 6267

 Once I got used to this, I thought maybe it's not so bad... But then I discovered that the buttons are active even when they're not visible. That's a bigger problem!
What do you mean by active?

I mean, if I tap on the spot where the button would be, it does the button action even when the button isn't visible.
MusicBee Wiki
Use & improve MusicBee's documentation!

Latest beta patch (3.1)
(Unzip and overwrite existing program files)

AvikB

  • Hero Member
  • *****
  • Posts: 732
Once I got used to this, I thought maybe it's not so bad... But then I discovered that the buttons are active even when they're not visible. That's a bigger problem!
What do you mean by active?
I mean, if I tap on the spot where the button would be, it does the button action even when the button isn't visible.
is this on mobile or tablet?

psychoadept

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 6267
Mobile
MusicBee Wiki
Use & improve MusicBee's documentation!

Latest beta patch (3.1)
(Unzip and overwrite existing program files)


psychoadept

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 6267
Thank you!

Another issue I'm running into on mobile is that if I'm trying to move a thread, I can't seem to select a different board.  The menu stays stuck on "Latest Version".  Once, I've had it work - and that was after I'd accidentally moved the thread to Latest Version!
MusicBee Wiki
Use & improve MusicBee's documentation!

Latest beta patch (3.1)
(Unzip and overwrite existing program files)

AvikB

  • Hero Member
  • *****
  • Posts: 732
Thank you! Another issue I'm running into on mobile is that if I'm trying to move a thread, I can't seem to select a different board. The menu stays stuck on "Latest Version". Once, I've had it work - and that was after I'd accidentally moved the thread to Latest Version!
will look into it

Testeronly

  • Newbie
  • *
  • Posts: 1
Good day,

I would like to report a security issue in your website your website is vulnerable to xss attack!

This is how to execute the attack

Open your MOzillaFirefox copy this link below

http://getmusicbee.com/addons/s/?q=Hello&type=ThisPartIsvulnerableinXSS%22%3E%3Cimg%20src=x%20onerror=alert(%22blacksheep%22)%20/%3E

My attack will automatic popup in your page!



You must fix this issue!


Thank you!

Steven

  • Administrator
  • Hero Member
  • *****
  • Posts: 24231
@Testeronly, thanks for reporting that. I will ask avikB to look into addressing it.
Could you explain how that type of attack can be used against people normally visiting the add-ons page from within the musicbee website ie. wouldn't the attacker to have access to update the PHP page so it generates (for example) a javascript action that opened a malicious web link? Is the point that it can be invoked from an external website that pretends to be the musicbee website?
Last Edit: September 30, 2016, 10:18:21 AM by Steven

AvikB

  • Hero Member
  • *****
  • Posts: 732
Good day, I would like to report a security issue in your website your website is vulnerable to xss attack! This is how to execute the attack Open your MOzillaFirefox copy this link below http://getmusicbee.com/addons/s/?q=Hello&type=ThisPartIsvulnerableinXSS%22%3E%3Cimg%20src=x%20onerror=alert(%22blacksheep%22)%20/%3E My attack will automatic popup in your page! You must fix this issue! Thank you!
ah, thank you. I will fix this asap.

Steven

  • Administrator
  • Hero Member
  • *****
  • Posts: 24231
the add-ons page has been updated with a fix to the issue

@Testeronly, thanks for reporting that. I will ask avikB to look into addressing it.
Could you explain how that type of attack can be used against people normally visiting the add-ons page from within the musicbee website ie. wouldn't the attacker to have access to update the PHP page so it generates (for example) a javascript action that opened a malicious web link? Is the point that it can be invoked from an external website that pretends to be the musicbee website?
from what i can gather, this issue would involve some deception from another website linking to the addons page where the link included some malicious javascript code, or an email sent to someone again with a link that does the same. It wouldnt affect anyone visiting the add-ons page via the musicbee website.
Anyone who is more knowledgeable about cross-scripting attacks please correct me if i have it wrong or refine what i have said
Last Edit: September 30, 2016, 07:40:15 PM by Steven

AvikB

  • Hero Member
  • *****
  • Posts: 732
from what i can gather, this issue would involve some deception from another website linking to the addons page where the link included some malicious javascript code, or an email sent to someone again with a link that does the same. It wouldnt affect anyone visiting the add-ons page via the musicbee website. Anyone who is more knowledgeable about cross-scripting attacks please correct me if i have it wrong or refine what i have said
yeah, that is pretty much the case.
On the malicious side one can simply steal cookies and verify him as logged in. Ofc the victim has to click on that specialized url. This gets worse, for example if an admin/mod clicks on a crafted link his cookies might get stolen and the attacker gets admin/mod access.

ofcourse he won't be able to change any forum setting or so since SMF asks to re enter password on sensitive operation.

This method does not work on Chromium based browser fortunately.

Steven

  • Administrator
  • Hero Member
  • *****
  • Posts: 24231
One thing i have noticed with the member search functionality is it only works correctly with lower case where the member name is in lower case. So if a member name is "Happy" then no match can be made no matter what letter case you search with, but if the member name is "happy" then it works