At a VB-Board that I frequent there is a user that is somehow able to use vb-code to destroy the table structure of a thread. I was wondering how he was able to do this, since VBulletin is currently a viable option for a company i'm doing some work for, but I'd like to know about this potential security hole before recommending purchase of it.

What code was this? This really can't happen with the default vB Codes. It's possible that Admin added a code that had this capability.

Was it definatly vB code and not HTML enabled in the forum? As Steve said with the default layouts and codes I see no was of this happening, however if you enable HTML (not recomended) its very easy.

Actually checking some settings... yes, html was enabled.

If HTML is enabled, a user can do a whole lot more than just destroy the table structure. :) He can get passwords, run malevolent scripts, steal cookies etc. - in general, if HTML is disabled, vB is very secure.

Originally posted by Erwin
If HTML is enabled, a user can do a whole lot more than just destroy the table structure. :) He can get passwords, run malevolent scripts, steal cookies etc. - in general, if HTML is disabled, vB is very secure.

I had a very enjoyable time doing this with a friend once :p
We had a contest to see who could f*ck up a showthread page the most. :)

* a-drive remembers the good old days :bandit:

you're sounding old :p

when html is disabled the normal vb-code cannot destroy the sitestructure (just very long posts can destroy it a bit ;))
but the admin can always create new vb-code, and if a code has Tabletags, then it can be harmfull ;)

On a board I used to post at (something awful's forums) there was an HTML enabled board for people to play around with, but it was abused really bad. Someone made some sort of script that intercepted cookies (i think that's how it worked, anyway) whenever someone went to a thread, and stole passwords.

I didn't even bother to check for HTML before I posted, but that does appear to be the answer to my problem. Thanks.

you're welcome :)

i hope we could convince you at least a bit of the advantages of vb ;)

god

wow, what a senseles comment....

SUPER, to download hacks and get support you will need to go to this (http://www.vbulletin.com/members/forums.php) page and enter your email address, to show you are licensed. (you will need to use your customer number and password to access that page)
Thank you.

Also you need to restore the copyright notice....