[syrus.xl]

Quote:

Originally Posted by SEW810

yeah, specially if you execute it /open it manually.
NEVER a swf animation executed on a web page will interact with your hard disk files, Macromedia has implemented policies to avoid this kind of actions

Obviously, you are not a flash author or you would know that statement is completely incorrect. Flash SWF files on any webpage are executed automatically upon page load. Anyone that knows actionscript could easily upload and cause serious damage to any forum that has this modification enabled.

Quote:

Interesting, it says something about interact with a program INSTALLED in your har disk, oh and dowload that file... oh yeah, I got it, "virus attack if I DOWNLOAD an swf file, save it on My Documents or something and then I open it" .... Jesus, what's that for??, did you forget that you were surffing the internet and visiting a forum? ?? Don't do experiments if you don't know what you are doing.

Any forum carrying this sort of modification is leaving itself open to security issues. By the way, SWF files are cached directly to your system, so in affect they are downloaded. Here's just one example... Open up Flash, in the first frame add this code:

Code:

var url:String = "http://www.google.com";
var request:URLRequest = new URLRequest(url);
try {
        navigateToURL(request, "_self");
} catch (e:Error) {
        trace("Error occurred!");
}

This is AS3.0 code..

Now you have a redirect, if anyone hits the post containing the uploaded SWF file. Even more dangerous is if the code is far more malicious. The above code could easily redirect a person to another site containing a trojan which would infect their systems or even coded as a XSS exploit.

Quote:

Totally inofesive that code, I repeat, is the same code used on http://www.msn.com/ at Advertisement, or at http://www.nfl.com/ or any site with flash animations.

These advertisements are added by web development teams and would under go strict QA before being allowed on a page. The only part that is safe about this code is the embed code, but even this breaks Strict xHTML W3C policies, check your coding regarding embedding flash correctly on a webpage and consider vB4 uses Strict xHTML, so by using this coding you are straight away breaking the Strict xHTML of vB4.

Quote:

Please people, don't worry... be happy

If you don't want to take "the risk", please just don't install it.
Sharing this bb code wont help me to hack your site or get your bank account PIN or something.

Nobody would be happy with a hacked database, or a forum that is infecting peoples systems. Eventually, Google would place a 'Red' Alert page for malicious code if the problem was not dealt with. This is a very serious security hole to add to vBulletin and in my opinion like many others on here, should be removed for peoples safety, at least.