
Show HN: Newsboard – A Hacker News Clone - robdelacruz
http://newsboard.robdelacruz.com/
======
jenoer
@robdelacruz: I have a few security-related findings for you that you might
want to take a look at:

\- I can inject any JavaScript in Titles, Tags and possibly other locations.

\- By manually changing the value of the `userid` cookie, I can log in as any
user ("1" for admin). This also allows me to access the admin section of the
website.

\- It's highly recommended to enable "HttpOnly" for session cookies. (Secure
and SameSite should also be more strict if the application allows it)

Other remarks:

\- There should be a limit on the length of submission titles, these are close
to infinite it seems.

Edit: It seems others are completely defacing the board by using these tricks.
I just want you to know that it's not me.

~~~
robdelacruz
Thanks for the bug reports. Much appreciated. Will take a look at these one by
one. Hopefully to get the site back up and running.

Source code is at:
[https://github.com/robdelacruz/newsboard](https://github.com/robdelacruz/newsboard)

------
krapp
It looks like you're using HTML form maxlength attributes to determine the
maximum length for elements. I hope you're _also_ validating that on the
server somehow, because of course anyone can simply delete those before
posting.

Remember, no one even has to go through your form to make a POST request to
one of your endpoints (unless maybe you're using CSRF tokens, which you don't
seem to be). Never assume that what you send to the user has any relationship
to what they send back, and never validate on the front end.

~~~
robdelacruz
You're right, there's no validation on the server. Need to fix those.

As quick fix to get the site up and running again, I just trimmed off any
overly long title or cat beyond a certain limit of chars.

------
robdelacruz
(OP here) Hi guys, thanks for checking out newsboard.

Source code is here
[https://github.com/robdelacruz/newsboard](https://github.com/robdelacruz/newsboard)

I will look into fixing the security bugs to get the site back up and running.
Feel free to check out the code.

If you have time to waste, check out my "unix fortune2" web page to get your
unix fortunes. It's a clone of 'unix fortune':

[http://fortune2.robdelacruz.com/](http://fortune2.robdelacruz.com/)

~~~
robdelacruz
Site is up again:
[http://newsboard.robdelacruz.com/](http://newsboard.robdelacruz.com/)

------
brian_herman__
i think someone figured out how to include their own javascript inside the
website i got two alert boxes when i opened the page.

------
freetonik
Looks neat and tidy. Is it open source?

~~~
iKevinShah
The first link on the demo is this -
[https://github.com/robdelacruz/newsboard](https://github.com/robdelacruz/newsboard)

Seems like the source

> newsboard - a bulletin board and bookmark sharing site (inspired by
> HackerNews)

~~~
robdelacruz
OP here. Right, that's the source:

[https://github.com/robdelacruz/newsboard](https://github.com/robdelacruz/newsboard)

I used plain css from scratch to keep it small. I tried to copy the HackerNews
look, but using Flex instead of Tables.

------
whinvik
Is the source for HN available?

~~~
detaro
A older version/variant is part of the Arc sources
([http://www.arclanguage.org/](http://www.arclanguage.org/) ), but the code
running the actual site is not.

------
pcdoodle
Very cool!

------
maps7
You should probably take this down now

