Forum

> > Unreal Software > Unreal Software bugs and errors thread
Forums overviewUnreal Software overviewLog in to reply

English Unreal Software bugs and errors thread

219 replies
Page
To the start Previous 1 210 11 Next To the start

old Re: Unreal Software bugs and errors thread

Kolia_rus
Security Supporter Off Offline

Quote
@user DC: I'm so glad to see there's something new on the site

As of the sticky menu, this is what I meant:
IMG:https://s1.hostingkartinok.com/uploads/images/2024/02/beb4fc734d1fb27efffd95ebd5bfe67b.png


This is from the YT app. While it definitely has not the best UI in the world, I think the menu looks just right enough to be an example here. A combination of:
√ Buttons that are of the same size
√ Icons that are displayed together with text
√ No useless gaps between active elements (buttons)
√ Solid/fill icons to help you know which section you're currently in.
There's also a plus button to post something new, but for this site we don't need that.

I hope this illustrates what I meant.

I also agree with the idea of removing the language selection button from the sticky menu. The site should automatically determine the language by the Accept-Language header value. If there's a `de` in it and it has a weight high enough, then the site language should be German. English otherwise. And the language selection button should be placed somewhere else, as it'll not be that important to be displayed where it currently is.

Another thing I found is that there's no confirmation window like "Are you sure you want to leave this page?" for the posting form. Like, I was typing this all, then clicked on some link, went back, and my message was gone. Luckily, I predicted that, so I was able to do CTRL+V to restore what I wrote, but I think this is kinda harmful as most users except the site to show some warning (or even to store unsent posts for a short time!) Let's say, the site should display a confirmation window when a user tries to open a different page, only in case if the "Message" input was not empty. Safe and not annoying.

Also, this is not exactly a bug, but an idea: when a user wants to add some code inside a message, can we make it automatically detect the language by default, and not suggesting Lua as the default language? There's already an option for auto-detect but I have to select it manually every time.

Bugs & Ideas regarding the Users page:
Spoiler >


Edit:
The "Declined" message has the √ icon instead of ×:
IMG:https://s1.hostingkartinok.com/uploads/images/2024/02/9aa1fe1e533c6d43400d94a5261686dc.png
edited 2×, last 18.02.24 09:53:00 pm

old Re: Unreal Software bugs and errors thread

DC
Admin Off Offline

Quote
Ah I see. Thanks for the example. This still takes quite some space but I will do some expriments with that.

Regarding losing what you typed: I already have that on my list. I plan to add a protection for that & maybe to even automatically save and be able to restore what you typed.

Regarding script auto detect: The main problem with that is that auto detect often fails with very short scripts and assigns random languages to those. This leads to weird and misleading highlighting. Also Lua is the most used language here by far. That's why it's the default and auto detect has to be activated manually.

Thank you very much for the detailed list of other problems (and ways to fix them). Will look into that

old A CSRF Vulnerability

Kolia_rus
Security Supporter Off Offline

Quote
Files in uploads can be removed without any CSRF protection. A request like https://unrealsoftware.de/files_show.php?file=18304&showcontents=1&delcontent=maps%2Fdm_easystruct.map will be fulfilled without any confirmation window and hash comparison. Therefore, one can troll the uploader by convincing him to clicking on such a link, maybe with shortening it or including it as an image inside a HTML document and asking the uploader to open it in browser. The upload ID and file name are indeed publicly known so it'd take almost no effort to perform such a malicious action. I mean, you know why CSRF is bad, as there's already protection from it in other handlers... I observed this vulnerability when uploading my maps and poking around for whatever the interface has for me.

old Re: Unreal Software bugs and errors thread

DC
Admin Off Offline

Quote
@user Kolia_rus: Woah. Totally missed that and you're absolutely right. Will add a hash to that action! Thanks!

@user Mora: Ugh, I think it's a mobile device problem in general. Maybe because I hide the button while it's focused. I put it on my list. Shouldn't be too hard to fix.

old Re: Unreal Software bugs and errors thread

Kolia_rus
Security Supporter Off Offline

Quote
Consider removing this popup outside of posts' contents. I indeed don't need to search for a user who has the same ID as the number of the current page. Maybe it'd make sense to get rid of that pop up entirely, but you do you.
IMG:https://s1.hostingkartinok.com/uploads/images/2024/02/f792eed44b49f037cc7b50f2751e7c86.png


---

The "Starts with" selection menu has a default value of "0" instead of "-all".
IMG:https://s1.hostingkartinok.com/uploads/images/2024/02/2d50d262b508a8354fe92c185126faba.png

It displays all users, though. This also makes it impossible to see users whose nicknames actually start with 0 without selecting a different letter/number and only then choosing "0".

---

The "More Stats" button on this page → https://unrealsoftware.de/usgn.php links to https://unrealsoftware.de/usgn.php?s=stats which doesn't show more stats, so this is kinda misleading. Better make it redirect to https://unrealsoftware.de/stats.php, as this is the page, which, in fact, has more stats.

---

The caption regarding 7Zip, WinRAR and WinZip is not translated from German:
IMG:https://s1.hostingkartinok.com/uploads/images/2024/02/5e0d472595f2268bd7b6ad48f594cb1d.png
edited 4×, last 25.02.24 01:19:08 pm

old Re: Unreal Software bugs and errors thread

GeoB99
Moderator Off Offline

Quote
The temporary ban control panel shows an entirely different post for the ban reason when tagging a user for a rule violation. The ban itself is set on the target user as expected but with a randomly different post of which it does not relate to the actual ban reason why the user was punished to begin with. Even worse, the rule is tagged on another user's post.

Only file comments seem to be affected by this bug, forum posts are OK. Still, that's bad. Check file cs2d UB | Sandstone and the actual comment and see for yourself.
IMG:https://images2.imgbox.com/f3/52/NOwzcp8p_o.png

old Re: Unreal Software bugs and errors thread

Kolia_rus
Security Supporter Off Offline

Quote
Inside subfolders, the 404 error page is rendered incorrectly.
https://www.unrealsoftware.de/404/123
IMG:https://s1.hostingkartinok.com/uploads/images/2024/02/fcfeef79b5aa461891faebfec230595f.png

That's because you forgot to put a slash as the first character for links to CSS and JS files:
<link href="fontawesome/css/brands.min.css" rel="stylesheet">
<link href="fontawesome/css/solid.min.css" rel="stylesheet">
<link href="css/highlight-vs2015.min.css" rel="stylesheet">
<link href="css/style.css?v=13" rel="stylesheet">
<script src="js/script.js?v=8"></script>
<script src="js/highlight.min.js"></script>
edited 1×, last 25.02.24 11:28:20 pm

old Re: Unreal Software bugs and errors thread

DC
Admin Off Offline

Quote
Thanks a lot for all the reports! This is really super helpful to make the website much better. Already took care of a few things:

√ The logo (us) is clickable and leads to portal, also profile image leads to profile and "community" opens the forum (desktop only)
√ fixed all main layout URIs to start with / so the error page works as expected
√ fixed the "starts with" filter on the user page (looks like I totally broke it at some point. I was sure that it worked after I touched it for the rework...)
√ hash for deleting single files in zip archives

I currenlty don't plan to limit the "number selection to user ID"-tooltip because I may need it outside posts/pms and it doesn't really hurt to have it everywhere. I also won't change the U.S.G.N. stats link for now because the regular stats page doesn't really have more U.S.G.N. related stats. The long term plan is to offer more detailed U.S.G.N. usage stats later on.

@user GeoB99: Uhh that ban stuff is bad. Will look into it asap
edit: √ should be fixed (comment ids were used like post ids...)

@user Mami Tomoe / user Chingy: That issue is weird. Didn't manage to find the reason yet but will look into it again soon.
edited 2×, last 26.02.24 10:33:10 pm

old A new vulnerability

Kolia_rus
Security Supporter Off Offline

Quote
Hey @user DC! Following the file archive CSRF thing, I found a new vulnerability. This time it's not that severe, but you may want to take a look at it.

Description
Using the Password Recovery form, a violator can check if an account is tied to a specific email address. Let's say he found an email somewhere, thinks that it belongs to a specific user, but he's not sure and wants to check it. He'd open the Recovery form and enter both the alleged nickname and the alleged email address. If the specified account is registered under that email, he'd see a message saying that an email was just sent. Otherwise, he'd see an error says: "Wrong e-mail address".

While not really destructive, this behaviour may be a part of information gathering campaign targeted against specified user. This weakness has a CWE ID of 204:
https://cwe.mitre.org/data/definitions/204.html has written
The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.

This issue frequently occurs during authentication, where a difference in failed-login messages could allow an attacker to determine if the username is valid or not. These exposures can be inadvertent (bug) or intentional (design).


Solution
Instead of the current behaviour, the server should return a message like: "If the specified address is tied to the specified account ([insert_account_nickname_here]), an email has just been sent". Thus, a violator will not be able to see if the address and account are connected with each other. It should say that the address is wrong only in cases when a user enters an invalid address which fails whatever thing you use to differentiate an email address against a regular string.

That's how big sites do it (the Microsoft site, for example), so let's be more professional and fix all weaknesses.

Another vulnerability
There's a similar vulnerability which falls into the same CWE of 204. On the Name Recovery page, one can check if the specified address exists in the database. While this doesn't reveal the username, it still can be used to see if there's a specific user on this website or not. The solution is the same as above.

old Re: Unreal Software bugs and errors thread

DC
Admin Off Offline

Quote
@user Mora: Oh no... didn't test on Safari. Will try to find out what's going on there. Thanks for the report.

@user Kolia_rus: Fixed the stats. Of course you are right about the recovery stuff. It's not as safe as it should be. I did this intentionally to make it more easy for users to recover their account but of course this also makes it easier for attackers. Will change that. Also you have been promoted to a security supporter for your ongoing help. Thanks

old Re: Unreal Software bugs and errors thread

Kolia_rus
Security Supporter Off Offline

Quote
@user DC: thank you for promoting me to a Security Supporter. I remember it was my childhood dream to get some cool flair here, and now, as an adult, I'm truly happy that it really happened. I promise to be helpful and to keep looking for more stuff for you to fix.

---
The "language" cookie value has some superfluous symbols. The language switch still works fine, but it's probably not the way you wanted it to be:
IMG:https://s1.hostingkartinok.com/uploads/images/2024/03/0951a703ae0c52920287545855cec75b.png
edited 1×, last 06.03.24 10:45:20 pm

old Re: Unreal Software bugs and errors thread

DC
Admin Off Offline

Quote
These additional values actually have a meaning. I abuse that cookie for additional settings. I decided to simply keep it that way with the new website for simplicity and compatibility reasons.

I could rework that but it doesn't really matter and therefore has quite a low prio.

old Re: Unreal Software bugs and errors thread

Mami Tomoe
User Off Offline

Quote
If you look at an image in a file (like file File does not exist (18307)), and then use ESC to exit the image preview (instead of clicking outside/using the X), your scroll bar won't come back until you refresh the page or re-enter the image and leave it in the above working methods.

old Re: Unreal Software bugs and errors thread

DC
Admin Off Offline

Quote
Recover forms have been made more secure and can't be used anymore to reveal which e-mail addresses are used

@user Mami Tomoe: Fixed that as well. The image gallery is still a bit wonky and needs some polishing in general

old Re: Unreal Software bugs and errors thread

Kolia_rus
Security Supporter Off Offline

Quote
Good job @user DC! When I was writing that vulnerability report, I thought you'd fix it wrong, so there will still be a CWE-208: Observable Timing Discrepancy, but you did it very right, so now it's impossible to tell which address is used even by comparing the time it takes to fulfill requests with correct & incorrect addresses.
To the start Previous 1 210 11 Next To the start
Log in to replyUnreal Software overviewForums overview