It appears that you can abuse the tags to load anything.

On a habbo forum i visit (habboxforum.com), i was testing somthing doing

[img ]http://www.habboxforum.com/?style=1[/img ]

[img ]http://www.habbo.com/account/logout[/img ]

and they both worked.
Now i am a bit worried for my own forum & everyone else that this can easily be exploited.
Thanks, Dominic Lipscombe.

I don't see what the problem is... :confused:

Can you provide screenshots or a link or something?

I would, but im banned for 24 hours from HxF :down:

See if you can recreate it on your own forum then and post the results if you are successful because I really don't understand what is supposed to be going on here. (BBCode is parsed within [code] tags).

Under bvoptions > Message Posting and Editing Options, make sure to set this to No:
Allow Dynamic URL for [IMG] Tags
With this option set to 'no', the [IMG] tag will not be displayed if the path to the image contains dynamic characters such as ? and &. This can prevent malicious use of the [IMG] tag.

Yes i can reproduce this


goto: http://forum.truecrimegaming.com/showthread.php?p=94#post94

and press f5 once its loaded :)

See Lynne's post.

(I search all over vBulletin Options for that setting and couldn't find it! I knew it was there somewhere. :D)

Under bvoptions > Message Posting and Editing Options, make sure to set this to No:
Allow Dynamic URL for [IMG] TagsI don't have that option there (in 3.7.2).

I don't have that option there (in 3.7.2).
Hmmm, I wonder what they did with it for 3.7.x?

edit: Interesting... I found this on vb.com but nowhere do they say why it was removed - 3.7.0 deprecated "Allow Dynamic URL for [IMG] Tags" (http://www.vbulletin.com/forum/showthread.php?t=273307&highlight=Allow+Dynamic)

Did they enable it or disable it by default then?

The vB.com staff seemed awfully unhelpful on that occasion :(

Under bvoptions > Message Posting and Editing Options, make sure to set this to No:
Allow Dynamic URL for [IMG] Tags
With this option set to 'no', the [IMG] tag will not be displayed if the path to the image contains dynamic characters such as ? and &. This can prevent malicious use of the [IMG] tag.

That isn't going to help if they're using vB SEO, like in the example which gives 'static' URLs for pages without the IDs and stuff. I think vBulletin should implement a filter which checks if it ends with a valid file extension to stop this problem.

Not 100% sure but i think this setting has been removed as it doesn't really serve a purpose anymore. Even a (seemingly) static link can lead to dynamic content.

Checking for fileextensions also does not help, i can easily create a .htaccess redirect that will turn a static link (www.site.com/image.jpg (http://www.site.com/image.jpg)) to redirect to a php-script.

PS Search the 3.7 forums (and the bug tracker) on vB.com for 'Dynamic' and you will find a few posts where this is explained/discussed.