vb.org Archive
Page 1 of 2 1 2
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB3 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=111)
-   -   what is XSS and how can they affect a board with HTML turned on? (https://vborg.vbsupport.ru/showthread.php?t=51632)

Gutspiller 04-15-2003 03:01 AM
what is XSS and how can they affect a board with HTML turned on?
 
Are they certain HTML commands?

filburt1 04-15-2003 10:10 AM
XSS is cross-side scripting. In a nutshell it allows people to inject malicious Javascript that captures the user's cookies (which remember, one of them is the user's hashed password) and redirect them to their own side so they can be brute force attacked and eventually reverted back to the original password.

okrogius 04-15-2003 04:50 PM
Additionally to that with some javascript can have arbitrary commands executed when an admin views a page with the malicious code.

i.e. iframe with src pointing to /admin/....?....&username="+getCookie('bbusername')+"

filburt1 04-15-2003 05:06 PM
I'm not sure if iframes inherit the cookies.

Erwin 04-15-2003 06:02 PM
There is no way of enabling HTML and keeping your site secure. :)

In any case, there is a thread on vB.com about turning on HTML and keeping it as safe as possible.

Gutspiller 04-15-2003 10:50 PM
Is there a way to block Xss scripts without upgrading? Is the only other way to turn off html? If there is a certain command to run xss scripts, can't you just add that command to your censor list?

I have "<iframe" added to my censor list and nobody can run an iframe, yet they can still run html. Something like this possible?

filburt1 04-15-2003 10:51 PM
Never, ever enable HTML anywhere on your board. There is no 100% secure way of enabling it and still letting users post in it.

Gutspiller 04-15-2003 10:53 PM
Quote:
Today at 05:51 PM filburt1 said this in Post #6
Never, ever disable HTML anywhere on your board. There is no 100% secure way of enabling it and still letting users post in it.

You mean never ever enable it.

Maybe I could get some help. how creating a secure way to run it.

Logician 04-16-2003 12:13 PM
Quote:
Today at 01:53 AM Gutspiller said this in Post #8
You mean never ever enable it.

Maybe I could get some help. how creating a secure way to run it.
Why do you need HTML? What feature does it add to your board that you can not have with bbcode?

You can really create a new bbcode for many HTML commands you need in your site and then disable the HTML altogether.

Or another alternative may be enabling it for certain (trusted) usergroups only and disabling for the rest (Check Hack releases forum for this hack).

As filbert stated do not enable it for all if you don't want a site that has serious security gaps.

okrogius 04-16-2003 05:35 PM
Quote:
Yesterday at 06:53 PM Gutspiller said this in Post #8
You mean never ever enable it.

Maybe I could get some help. how creating a secure way to run it.
bbcode is your secure way of running it.


All times are GMT. The time now is 11:12 PM.
Page 1 of 2 1 2
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01019 seconds
  • Memory Usage 1,729KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (3)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete