vb.org Archive
Page 1 of 2 1 2
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vBulletin Pre-Sales Questions (https://vborg.vbsupport.ru/forumdisplay.php?f=26)
-   -   A client side question about vbulletin (https://vborg.vbsupport.ru/showthread.php?t=48174)

Gren 01-26-2003 10:59 PM
A client side question about vbulletin
 
At a VB-Board that I frequent there is a user that is somehow able to use vb-code to destroy the table structure of a thread. I was wondering how he was able to do this, since VBulletin is currently a viable option for a company i'm doing some work for, but I'd like to know about this potential security hole before recommending purchase of it.

Steve Machol 01-26-2003 11:05 PM
What code was this? This really can't happen with the default vB Codes. It's possible that Admin added a code that had this capability.

NTLDR 01-26-2003 11:35 PM
Was it definatly vB code and not HTML enabled in the forum? As Steve said with the default layouts and codes I see no was of this happening, however if you enable HTML (not recomended) its very easy.

Gren 01-27-2003 12:00 AM
Actually checking some settings... yes, html was enabled.

Erwin 01-27-2003 12:39 AM
If HTML is enabled, a user can do a whole lot more than just destroy the table structure. :) He can get passwords, run malevolent scripts, steal cookies etc. - in general, if HTML is disabled, vB is very secure.

Chris Gwynne 01-27-2003 02:07 AM
Quote:
Originally posted by Erwin
If HTML is enabled, a user can do a whole lot more than just destroy the table structure. :) He can get passwords, run malevolent scripts, steal cookies etc. - in general, if HTML is disabled, vB is very secure.
I had a very enjoyable time doing this with a friend once :p
We had a contest to see who could f*ck up a showthread page the most. :)

[high]* a-drive remembers the good old days :bandit:[/high]

Xenon 01-27-2003 01:32 PM
you're sounding old :p

when html is disabled the normal vb-code cannot destroy the sitestructure (just very long posts can destroy it a bit ;))
but the admin can always create new vb-code, and if a code has Tabletags, then it can be harmfull ;)

Gren 01-27-2003 10:17 PM
On a board I used to post at (something awful's forums) there was an HTML enabled board for people to play around with, but it was abused really bad. Someone made some sort of script that intercepted cookies (i think that's how it worked, anyway) whenever someone went to a thread, and stole passwords.

I didn't even bother to check for HTML before I posted, but that does appear to be the answer to my problem. Thanks.

Xenon 01-28-2003 04:19 PM
you're welcome :)

i hope we could convince you at least a bit of the advantages of vb ;)

SUPER 01-28-2003 04:44 PM
god


All times are GMT. The time now is 09:25 PM.
Page 1 of 2 1 2
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01106 seconds
  • Memory Usage 1,728KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete