![]() |
Urgent Fix needed, [img] tag abuse
It appears that you can abuse the tags to load anything.
On a habbo forum i visit (habboxforum.com), i was testing somthing doing Code:
[img ]http://www.habboxforum.com/?style=1[/img ] Code:
[img ]http://www.habbo.com/account/logout[/img ] Now i am a bit worried for my own forum & everyone else that this can easily be exploited. Thanks, Dominic Lipscombe. |
I don't see what the problem is... :confused:
Can you provide screenshots or a link or something? |
I would, but im banned for 24 hours from HxF :down:
|
See if you can recreate it on your own forum then and post the results if you are successful because I really don't understand what is supposed to be going on here. (BBCode is parsed within [code] tags).
|
Under bvoptions > Message Posting and Editing Options, make sure to set this to No:
Allow Dynamic URL for [IMG] Tags With this option set to 'no', the [IMG] tag will not be displayed if the path to the image contains dynamic characters such as ? and &. This can prevent malicious use of the [IMG] tag. |
Yes i can reproduce this
goto: http://forum.truecrimegaming.com/sho...hp?p=94#post94 and press f5 once its loaded :) |
See Lynne's post.
(I search all over vBulletin Options for that setting and couldn't find it! I knew it was there somewhere. :D) |
Quote:
|
Quote:
edit: Interesting... I found this on vb.com but nowhere do they say why it was removed - 3.7.0 deprecated "Allow Dynamic URL for [IMG] Tags" |
Did they enable it or disable it by default then?
The vB.com staff seemed awfully unhelpful on that occasion :( |
All times are GMT. The time now is 05:02 AM. |
Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
![]() |
|
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|