sucs-site issueshttps://projects.sucs.org/sucssite/sucs-site/-/issues2017-10-10T17:22:08Zhttps://projects.sucs.org/sucssite/sucs-site/-/issues/24Loss of WYSIWYG editor on content pages2017-10-10T17:22:08ZTim ClarkLoss of WYSIWYG editor on content pagesFeature regression:
Increases the barrier to entry for editing the site content.Feature regression:
Increases the barrier to entry for editing the site content.https://projects.sucs.org/sucssite/sucs-site/-/issues/27CSRF Vulnerabilities in forms on SUCS site and arbitrary script/html injection2017-10-10T17:22:08ZChris PiperCSRF Vulnerabilities in forms on SUCS site and arbitrary script/html injectionSUMMARY:
Post requests can be submitted automatically in javascript for some forms from any site and are automatically authenticated if the user was logged in at any point in the browser session and has not logged out (or been timed o...SUMMARY:
Post requests can be submitted automatically in javascript for some forms from any site and are automatically authenticated if the user was logged in at any point in the browser session and has not logged out (or been timed out).
Banana awards allow arbitrary html (including script tags onto the page).
PROOF OF WORK:
Tests were done on https://sucs.org/~elbows/sucssite/ . Users with banana privileges who had previously logged on to elbows sucs site (or had it open in another tab), who visited the url http://ninekaku.com/test [update: now offline, see comments] found a nearly empty page. In the background they had automatically awarded a user called "test" -3 bananas and given as the reason javascript url redirection back to the page http://ninekaku.com/test
SUGGESTED FIX:
Randomly generate a token when the page is loaded and make that part of the post request. If the wrong random string is submitted validation fails.
More details on prevention measures for this type of attack. https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_SheetFix #27https://projects.sucs.org/sucssite/sucs-site/-/issues/30Desktop on demand is broken and still on display2017-10-10T17:22:08ZOsian SmithDesktop on demand is broken and still on displayThe desktop on demand broke a while back but I got told by @imranh in freshers that it wasnt going to be fixed, yet its still up - is it worth taking the link down?The desktop on demand broke a while back but I got told by @imranh in freshers that it wasnt going to be fixed, yet its still up - is it worth taking the link down?https://projects.sucs.org/sucssite/sucs-site/-/issues/32Colourblind support2017-10-10T17:22:08ZMathew Ian EstienneColourblind supportThe current site has issues with colourblind support, for multiple forms of colourblindness.
For example, dark-orange on orange is used in the top-right of the homepage, which appears to be almost invisible to red-green and blue-yello...The current site has issues with colourblind support, for multiple forms of colourblindness.
For example, dark-orange on orange is used in the top-right of the homepage, which appears to be almost invisible to red-green and blue-yellow.
To check a page, I have been using [this colourblind tester]. The three options I have been using are Protan, Deutan and Tritan.
If any colourblind users want to contribute their eyes, they could help flag particularly troublesome pages for review.
[this colourblind tester]: <http://colorfilter.wickline.org/>
https://projects.sucs.org/sucssite/sucs-site/-/issues/35Give better feedback to the user when submitting bananas2017-10-10T17:22:08ZImran Hussainimranh@sucs.orgGive better feedback to the user when submitting bananasUse the message message_flash() function when a user submits either a banana nomination or awards bananas saying an action has been taken or not.Use the message message_flash() function when a user submits either a banana nomination or awards bananas saying an action has been taken or not.