Go Back   vb.org Archive > News and Announcements > vBulletin Pre-Sales Questions
Reload this Page A client side question about vbulletin
FAQ Community Calendar Today's Posts Search

Reply
Page 1 of 2 1 2
 
Thread Tools Display Modes
  #1  
Old 01-26-2003, 10:59 PM
Gren Gren is offline
 
Join Date: Jan 2003
Posts: 3
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default A client side question about vbulletin
At a VB-Board that I frequent there is a user that is somehow able to use vb-code to destroy the table structure of a thread. I was wondering how he was able to do this, since VBulletin is currently a viable option for a company i'm doing some work for, but I'd like to know about this potential security hole before recommending purchase of it.
Reply With Quote
  #2  
Old 01-26-2003, 11:05 PM
Steve Machol's Avatar
Steve Machol Steve Machol is offline
 
Join Date: Nov 2001
Posts: 1,896
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
What code was this? This really can't happen with the default vB Codes. It's possible that Admin added a code that had this capability.
Reply With Quote
  #3  
Old 01-26-2003, 11:35 PM
NTLDR's Avatar
NTLDR NTLDR is offline
Coder
  
Join Date: Apr 2002
Location: Bristol, UK
Posts: 3,644
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Was it definatly vB code and not HTML enabled in the forum? As Steve said with the default layouts and codes I see no was of this happening, however if you enable HTML (not recomended) its very easy.
Reply With Quote
  #4  
Old 01-27-2003, 12:00 AM
Gren Gren is offline
 
Join Date: Jan 2003
Posts: 3
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Actually checking some settings... yes, html was enabled.
Reply With Quote
  #5  
Old 01-27-2003, 12:39 AM
Erwin's Avatar
Erwin Erwin is offline
 
Join Date: Jan 2002
Posts: 7,604
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
If HTML is enabled, a user can do a whole lot more than just destroy the table structure. He can get passwords, run malevolent scripts, steal cookies etc. - in general, if HTML is disabled, vB is very secure.
Reply With Quote
  #6  
Old 01-27-2003, 02:07 AM
Chris Gwynne's Avatar
Chris Gwynne Chris Gwynne is offline
 
Join Date: Jan 2003
Posts: 316
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally posted by Erwin
If HTML is enabled, a user can do a whole lot more than just destroy the table structure. He can get passwords, run malevolent scripts, steal cookies etc. - in general, if HTML is disabled, vB is very secure.
I had a very enjoyable time doing this with a friend once
We had a contest to see who could f*ck up a showthread page the most.

[high]* a-drive remembers the good old days :bandit:[/high]
Reply With Quote
  #7  
Old 01-27-2003, 01:32 PM
Xenon's Avatar
Xenon Xenon is offline
 
Join Date: Oct 2001
Location: Bavaria
Posts: 12,878
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
you're sounding old

when html is disabled the normal vb-code cannot destroy the sitestructure (just very long posts can destroy it a bit )
but the admin can always create new vb-code, and if a code has Tabletags, then it can be harmfull
Reply With Quote
  #8  
Old 01-27-2003, 10:17 PM
Gren Gren is offline
 
Join Date: Jan 2003
Posts: 3
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
On a board I used to post at (something awful's forums) there was an HTML enabled board for people to play around with, but it was abused really bad. Someone made some sort of script that intercepted cookies (i think that's how it worked, anyway) whenever someone went to a thread, and stole passwords.

I didn't even bother to check for HTML before I posted, but that does appear to be the answer to my problem. Thanks.
Reply With Quote
  #9  
Old 01-28-2003, 04:19 PM
Xenon's Avatar
Xenon Xenon is offline
 
Join Date: Oct 2001
Location: Bavaria
Posts: 12,878
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
you're welcome

i hope we could convince you at least a bit of the advantages of vb
Reply With Quote
  #10  
Old 01-28-2003, 04:44 PM
SUPER SUPER is offline
 
Join Date: Nov 2002
Posts: 4
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
god
Reply With Quote
Reply
Page 1 of 2 1 2

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT. The time now is 10:03 PM.

Contact Us - Archive - Top

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04165 seconds
  • Memory Usage 2,248KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 
Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete