..that I need your opinion on, and what vulnerabilities it could possibly cause for the forum.

This hack will create a new large profile field similar to the signature field in the user-profile page. There a user will allow to enter all the web authoring code they want (assume there is no block of which languages they could use), and then this code is stored in the user table as a new column of data, called "custompage".

I create a new template, inside the template I place $headinclude, $header, and $footer. Between the $header and $footer I place this variable: $custompage

$custompage referes to all the data that the user inputted into their field.

Initially, by a link in each users profile, which will look something like: http://www.mysite.com/forums/member.php?s=$session[sessionhash]&action=getcustompage&userid=$userinfo[userid], the member will be sent to a new page that contains all the content they entered in their custompage field. Ofcourse this content will be translated into weblanguage code, and thus displaying that users custom page!

Sounds cool, right? Well now I know the uses of HTML on the forum are bad enough for vulnerabilities, so what serious problems would occur allowing this?

What comes to my mind ofcourse is malicious users making PHP queries in the field and corrupting my database! Totally possible from my point of view. Other things include calling variables from the global.php, since it is being referenced in members.php, and also calling other variables from members.php.

So..to prevent these things, disabling (ofcourse) PHP and other non-HTMl/Javascript languages would probably be a very high priority. As for HTML and javacript itself though, what problems can occur?

Any help on this would be great!

Regards,
Velocd :p

Originally posted by Velocd
What comes to my mind ofcourse is malicious users making PHP queries in the field and corrupting my database! Totally possible from my point of view. Other things include calling variables from the global.php, since it is being referenced in members.php, and also calling other variables from members.php
Well that's not possible, not if you escape the variable properly. But that's the least of your problems... I say drop it. People can use HTML in there that could redirect your users to their own Web site, and even worse, send the viewer's cookie data to their own server.

surely if you can disable html code in profile fields in member.php currently you could stop it from being used in that field

Originally posted by Mist
surely if you can disable html code in profile fields in member.php currently you could stop it from being used in that field
What would be the point of having your own custom page where you can't use HTML? :confused:

oh... i see what this hack is now ... ;)...

sounds nice ;)

Hmm, I see. Well, the only things that come to mind is somehow disabling certain tags in HTML so you can't use them. But that would be way too hard...I think.

Or..create custom vBulletin tags that act as HTML tags, but again that would be outta line.

...*ponders*
Well I'll try to think of some similar hack..


edit:
Originally posted by FireFly

Well that's not possible, not if you escape the variable properly. But that's the least of your problems... I say drop it. People can use HTML in there that could redirect your users to their own Web site, and even worse, send the viewer's cookie data to their own server.

My moderators and I will be more than likely watching over each members custom page, and if we find anything strange or suspecious in the source we could always warn/ban the member. I could easily create an option that would just disable custom pages for that member, if they were caught doing something wrong.

how about just banning the malicious html tags thru the "vbulletin options"..

im sure there was a thread on vbulletin.com full of malicious tags... and you could add a little footnote on creation and editing of the page of the tags that cannot be used :D

I'll figure something out..

looking forward to it :D!

Just a suggestion, but why don't you make it so you have to moderate there custom page and updates to it to check the content of it before visitors can view it?

Just my $0.02.

I'm already on way with developing this hack, it's not very hard at all. Your suggestion makes perfect sense, but I also plan to have a post count checker, and only allow my members with at least 300 post count to use this hack (that number ofcourse can be set by you).

Having a members page be checked each time they make a change, whether small or large (ie. changing a font size) would get really annoying for the member and the moderators. I think just allowing the custompage for only those with higher post counts is better, since those who have been on the board longer know the rules and will act more responsible..(hopefully).

:cool:

trust nobody velo, i know what i say .... ;)

i think you should make a censorship to avoid some functions like scriptingcode, cookie use aso.

Originally posted by Xenon
trust nobody velo, i know what i say .... ;)

i think you should make a censorship to avoid some functions like scriptingcode, cookie use aso.

That sounds like a great idea, but I'm not sure how to make it..maybe you could help me Xenon? (AIM: Velocd3)

Originally posted by Velocd
Having a members page be checked each time they make a change, whether small or large (ie. changing a font size) would get really annoying for the member and the moderators. I think just allowing the custompage for only those with higher post counts is better, since those who have been on the board longer know the rules and will act more responsible..(hopefully).

Yeah, I had thought of that and for large board especially wouldn't be very good. The post count idea sounds logical to me, or you could have a usergroup with members in who you consider to be responsible enough to have a custom page, just another thought that came to mind ;)

i don't have AIM, just icq ;)

also i can't help you exactly, because i don't know java and other scripting languages, also i'm not a html profi ;)

but how to censor some textparts i can tell you ;)
easiest way is to look how censortext() work in functions.php ;)

I just finished this hack, and I must say it looks pretty nice :D
It's integrated very well also, and I used your tip on the censortext() and that worked perfect (for language filter that is) :)

I just need to clear some bugs up and other things, and I'll be sure to release it sometime later tonight..

If anybody knows how to check certain HTML like Xenon suggested in post #12, let me know ;)

I got alittle busy tonight, didn't have time to completely finish it.
Attached are some screenies..if anybody is interested to what it looks like :p

I'm busy again tomorrow also, but hopefully I can get this thing out. ^^;

looks nice...

how about making it so that you can make your scrollbar colour.... and page background colour and text color, link color etc....

Since everything is in the body content, between <body></body> tags, you can't really change the overall background. But, you can just create a huge table, or frame, and change the background color within that. So it's basically close enough.

Changing text color is fairly simple..use the <font color=""> ?

Since there is no head include, you can't really add custom css stylesheet code, to change link color.
Maybe there is a way to do it using
<a href="http://www.mysite.com" style="">
?
I'm not sure, never tried.

Nice stuff man.

This is off topic, but in the screens I noticed the top was cut off..may I ask why?

Drk

It is the same reason I do not display my website publicly on these forums. There is nothing more I despise then when a member joins my forum soley to ask me for a hack, since they are not registered vB licensed. >.<

LOL, I see, I joined your forums, but I forgot the url, and don't know where to get it lol, I remember 4, and i tried many combinations of 4, like 4anime.com, 4deminish.com, 4 hyper.com still is not coming to me :-/

Drk

but how about allowing us just like in the style section in the admin cp to select certain aspects of the body tag :)...