vb.org Archive - Allow Usergroups to Post HTML

vb.org Archive (https://vborg.vbsupport.ru/index.php)

- vB3 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=111)

- - Allow Usergroups to Post HTML (https://vborg.vbsupport.ru/showthread.php?t=216112)

natecoupons

06-14-2009 03:08 AM

Allow Usergroups to Post HTML

I was reading this hack....and was wondering....why is this risky?

https://vborg.vbsupport.ru/showthread.php?p=1658551

RS_Jelle

06-14-2009 01:18 PM

When HTML is allowed, you can post malicious code. Like iframes (which can contain virusses) and JavaScript (which can be used to obtain admin passwords).

So you create a huge XSS security leak. Only allow it if you really trust all people in that usergroup.

All times are GMT. The time now is 09:12 PM.

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.00968 seconds Memory Usage 1,705KB Queries Executed 10 (?)
More Information
Template Usage: (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)footer (1)gobutton (1)header (1)headinclude (6)option (1)post_thanks_navbar_search (1)printthread (2)printthreadbit (1)spacer_close (1)spacer_open Phrase Groups Available: global postbit showthread	Included Files: ./printthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/class_bbcode_alt.php ./includes/class_bbcode.php ./includes/functions_bigthree.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete printthread_start bbcode_fetch_tags bbcode_create bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete printthread_post printthread_complete
Messages: