vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB3 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=111)
-   -   vBulletin Session stealing works (https://vborg.vbsupport.ru/showthread.php?t=206383)

silvermerc 02-23-2009 09:45 PM
vBulletin Session stealing works
 
Apparently using things such as this;
**edit: html removed by Lynne**
Will work if the HTML is enabled, surely theres a way to present session stealing?
Btw i got this code from a user attempting to use this
Ross

Lynne 02-23-2009 09:55 PM
You should not be allowing users to use html on your forums because of things like this (removed by me, btw). There are many malicious things a user may do when html is enabled.

nexialys 02-23-2009 09:56 PM
yeap... but 99.99% of all the vBulletin sites are deactivating HTML for that exact reason, for once, and also, there is no session details in the cookie, just sessionID, the password is hashed... the system is more secure than you think. this basic html code is known for ages though...

silvermerc 02-23-2009 09:58 PM
Quote:
Originally Posted by nexialys (Post 1752719)
yeap... but 99.99% of all the vBulletin sites are deactivating HTML for that exact reason, for once, and also, there is no session details in the cookie, just sessionID, the password is hashed... the system is more secure than you think. this basic html code is known for ages though...
What so with the cookies they coulnt log into your user?
Yeh but i can't see why vb woulnt block it :S

Dismounted 02-25-2009 08:16 AM
How do you propose vBulletin block cookies which are used to authenticate users?


All times are GMT. The time now is 01:58 AM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.00991 seconds
  • Memory Usage 1,719KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (5)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete