vb.org Archive - Urgent Fix needed, [img] tag abuse

Page 1 of 2

Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)

- vB3 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=111)

- - Urgent Fix needed, [img] tag abuse (https://vborg.vbsupport.ru/showthread.php?t=188252)

PaintBallFM

08-15-2008 08:42 PM

Urgent Fix needed, [img] tag abuse

It appears that you can abuse the tags to load anything.

On a habbo forum i visit (habboxforum.com), i was testing somthing doing

Code:

[img ]http://www.habboxforum.com/?style=1[/img ]

Code:

[img ]http://www.habbo.com/account/logout[/img ]

and they both worked.
Now i am a bit worried for my own forum & everyone else that this can easily be exploited.
Thanks, Dominic Lipscombe.

Opserty

08-15-2008 08:45 PM

I don't see what the problem is... :confused:

Can you provide screenshots or a link or something?

PaintBallFM

08-15-2008 08:47 PM

I would, but im banned for 24 hours from HxF :down:

Opserty

08-15-2008 08:51 PM

See if you can recreate it on your own forum then and post the results if you are successful because I really don't understand what is supposed to be going on here. (BBCode is parsed within [code] tags).

Lynne

08-15-2008 09:03 PM

Under bvoptions > Message Posting and Editing Options, make sure to set this to No:
Allow Dynamic URL for [IMG] Tags
With this option set to 'no', the [IMG] tag will not be displayed if the path to the image contains dynamic characters such as ? and &. This can prevent malicious use of the [IMG] tag.

PaintBallFM

08-15-2008 09:05 PM

Yes i can reproduce this

goto: http://forum.truecrimegaming.com/sho...hp?p=94#post94

and press f5 once its loaded :)

Opserty

08-15-2008 09:17 PM

See Lynne's post.

(I search all over vBulletin Options for that setting and couldn't find it! I knew it was there somewhere. :D)

Videx

08-18-2008 03:23 AM

Quote:

Originally Posted by Lynne (Post 1599564)

Under bvoptions > Message Posting and Editing Options, make sure to set this to No:
Allow Dynamic URL for [IMG] Tags

I don't have that option there (in 3.7.2).

Lynne

08-18-2008 03:36 AM

Quote:

Originally Posted by Videx (Post 1601158)

I don't have that option there (in 3.7.2).

Hmmm, I wonder what they did with it for 3.7.x?

edit: Interesting... I found this on vb.com but nowhere do they say why it was removed - 3.7.0 deprecated "Allow Dynamic URL for [IMG] Tags"

Opserty

08-18-2008 08:08 AM

Did they enable it or disable it by default then?

The vB.com staff seemed awfully unhelpful on that occasion :(

All times are GMT. The time now is 05:02 AM.

Page 1 of 2

Show 40 post(s) from this thread on one page

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.01317 seconds Memory Usage 1,729KB Queries Executed 10 (?)
More Information
Template Usage: (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (2)bbcode_code_printable (2)bbcode_quote_printable (1)footer (1)gobutton (1)header (1)headinclude (6)option (1)pagenav (1)pagenav_curpage (1)pagenav_pagelink (1)post_thanks_navbar_search (1)printthread (10)printthreadbit (1)spacer_close (1)spacer_open Phrase Groups Available: global postbit showthread	Included Files: ./printthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/class_bbcode_alt.php ./includes/class_bbcode.php ./includes/functions_bigthree.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete printthread_start pagenav_page pagenav_complete bbcode_fetch_tags bbcode_create bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete printthread_post printthread_complete
Messages: