I included a sample spam here. How do we stop this ? thanks

Orca is notorious for having multiple, well documented exploits and other vulnerabilities, such as this. There's little that can be done beyond BoonEx getting their arses in gear and fixing the problems.

Also, I understand how annoying it is; now please just upload a screenshot.

No screenshot.. it was a problem in my old site.. and i see that the spam works in here too.. kinda annoying because it is allowing full html code.. would have been better to only allow bb codes and text

MS,

did you not see the blue image with the crumpled up font.

screen shot was too large, so i am providing a link

Orca Injection Even on Boonex.com/Unity

Regards,

DosDawg

I did, which is why I asked for a screenshot. It also appears non-crumpled for me, though (screen size?).

I edited the spam so it's more clear.

can this be parsed ?

I recon it's a preg_match fix ... prolly clean up the html tags like preg_replace('/<div(.*)>/', ' ', $textwhatever);

The UGLIEST part is that, this can be touched up nicely, and it will look like part of the site.. but is actually SPAM !

1024 x 768

so did the screenshot help? :)

Regards,

DosDawg

Yes, now, can we get rid of the annoying example that blocks my view of the posts?

well, if I did.. it will kind of defeat the purpose of showing the example.

Just sroll down :)

I thinks it's EASIER to see now :)

If you like, I'll force-disable the viewing of this topic, all without any moderation powers.

That should give you an idea of the kind of vulnerabilities you can pull-off.

The good thing is that it's not allowing <script and <iframe tags

Exactly.. or make a div that covers the WHOLE page.. make it look like LEGITLY from Boonex.

Any ideas for the fix ?

HOLY CRAP!

Ok, this is a real nut buster for me. I am quickly becoming disenfranchised with the whole Boonex project. I am disabling my forum and going ahead with the phpbb3 integration I already own.

This is just nitwitology, plain and simple.

One more major Faux pas like this and I'm outa here......

 Yeah remove the html button from the tinymce editor.

 Well.... here is one more for ya...  see ya later.   http://www.boonex.com/unity/forums/?action=goto&my_threads=1#topic/a-Custom-Form-values-on-same-line.htm

You wouldn't be able to do this if Boonex had integrated htmlpurifier into Orca.  I have no idea why they didn't.  They must have felt that their own filter was good enough.  Evidently, it isn't.

Bring on the IPB integration!

Didn't Andrew say they would integrate third-party forums like they did with Dolphin 6.1?

Then again, we were promised allot of things.

I'm with you on that brother ...

I remember him saying something like that when I suggested using a real forum for THIS site.  I'm not sure he meant a D7 integration for distribution.  These guys at Boonex are stuck on Orca.  I kinda like the blue spam bars... I think I prefer red ones though.

actually there are some places I would love to do this in my forum, can someone pm me the instructions?

now this makes me really feel like investing money into this project...

the example code is all over this thread :)

http://www.boonex.com/trac/dolphin/ticket/1921

http://www.boonex.com/trac/dolphin/changeset/13785

Alex, your fix is a little to aggressive.  I used to be able to post code snippets directly, now I need to use the pre tag.

Yep.. it is indeed!

just removing the HTML button on the TinyMCE editor works for me :)

Maybe we could assign permissions to the html button? Make it available to admins only? Then we would have the best of both worlds

the bad thing is.. you can always inject JS codes to your browser and re-enable the html button on the client side :(