Befor I upgraded my forum, I was running 2.2.8 and someone said that cause I had the HTML ON that they could somehow grab my cookies that store passwords, and then use that to access any account that has logged on since this HTML was "running".

First is this true?

Second, I know this is unlikely, but for my own amusement I am dieing of curiosity of how this works, I would like to try this out while the old forum still has a place to sit.
So can someone tell me how? or a link even?

Thanks

Any version of vB that has HTML for posts/signatures/pm's etc enabled is open to be exploited.

2.2.8 or any version before 2.2.9 has security holes besides HTML vulnerabilities.

If HTML is enabled, vB in ANY version is vulnerable.

How is it vulnerable though? I dont see how HTML would do anything? its not like you can install scripts or anything???

But you can get HTML coding to run scripts from different sites, and to do a bunc of stuff. All sites need HTML to run anyhitng to just keep that in mind.

How is it vulnerable though? I dont see how HTML would do anything? its not like you can install scripts or anything???
Its possible to steal someone's cookie info by executing a simple javascript in the victims browser.

We are not be stupid enough to publish exactly how these exploits can be used. That would be foolish and irresponsible.

We are not be stupid enough to publish exactly how these exploits can be used. That would be foolish and irresponsible.
Agreed 100% :)

On the other hand it would as wise if you restricted the VB bugs forum to customers only but unfortunately I can't seem to convince vb.com on this, already it is as much dangerous. ;)

I'm pretty sensitive on this subject, so couldn't help myself, sorry! lol..

Please don't post ways to steal cookie information here. :) Even if you know how to. Let's not teach script kiddies ways to hack vB.

fair enough, didnt think anyone would show how its done.
but knowing that all versions are vunerable as long as HTML is enabled is good to know, as now I will ALWAYS turn off HTML.

Still dont really understand how you can steal the cookies from a remote script running local to the forum :ermm: ah well, i'll learn more soon, and maybe understand the why it works?...