Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 Programming Discussions
  #31  
Old 04-21-2005, 01:20 PM
cinq's Avatar
cinq cinq is offline
 
Join Date: Oct 2002
Posts: 1,398
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by tmhall
If you want me to believe that enabling HTML is an insanely high security risk, you're going to have to prove it.
Why not enable HTML in your forums and tell us your forum's URL and maybe some will give it a go, just for sh1ts and giggles, to prove it
Reply With Quote
  #32  
Old 04-21-2005, 03:49 PM
zetetic's Avatar
zetetic zetetic is offline
 
Join Date: Apr 2004
Posts: 338
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by cinq
Why not enable HTML in your forums and tell us your forum's URL and maybe some will give it a go, just for sh1ts and giggles, to prove it
I don't need proof that people can put malicious code into sigs and posts, I already know that. The question is whether the risks are so high that I need to completely disable HTML for all my forum members no matter what, and I don't believe they are. Unless you only visit completely secure, password protected websites anytime you go anywhere on the Internet you open yourself up to the possibility of malicious code. The only way to be 100% safe is to unplug your Internet connection now. Are you gonna do that?
Reply With Quote
  #33  
Old 04-21-2005, 05:38 PM
filburt1 filburt1 is offline
 
Join Date: Feb 2002
Location: Maryland, US
Posts: 6,144
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I think you're missing the point. HTML is a known security vulnerability. No other part of vB is. By your logic, you're 50% secure by disabling HTML and 100% with no connection, when in fact it is more like 99.9% secure without HTML and 100% with no connection.
Reply With Quote
  #34  
Old 04-21-2005, 06:23 PM
Brad Brad is offline
 
Join Date: Nov 2001
Posts: 4,765
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Allowing html leads to javascript, or embeded flash . Such things can be powerful scripting tools and can take advanage of your users. With bbcode your server is in control of the code, with html on you depend on the end users machine which is always a bad thing when you are allowing users to pass said code to everyone!

I wish you luck if you have enabled it, cause it won't be long..
Reply With Quote
  #35  
Old 04-21-2005, 06:30 PM
zetetic's Avatar
zetetic zetetic is offline
 
Join Date: Apr 2004
Posts: 338
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Have you ever seen The Godfather?

"I keep tryin' to get out, but they keep pullin' me back in!"

Quote:
Originally Posted by filburt1
I think you're missing the point. HTML is a known security vulnerability. No other part of vB is. By your logic, you're 50% secure by disabling HTML and 100% with no connection, when in fact it is more like 99.9% secure without HTML and 100% with no connection.
Actually, no. That's not my logic at all. I have never once said anything about disabling HTML providing only 50% security, I've only said that the only way to protect yourself 100% from encountering malicious code on the Internet is to disconnect your computer from the Internet. That's just a truism.

Here's a question for you: Is it or is it not true that a malicious person could use the IMG and/or URL vBcodes to trick you into going to a porn or warez site, or any other site where you may encounter malicious code?

If yes, then do you believe that allowing the use of the IMG and URL vBcodes is a security risk and that they should never be enabled for any reason? Why or why not?
Reply With Quote
  #36  
Old 04-21-2005, 06:33 PM
filburt1 filburt1 is offline
 
Join Date: Feb 2002
Location: Maryland, US
Posts: 6,144
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Using the built-in tags can only deceive the user at worst. HTML can take over your forums.

Although I did disable the [img] tag at my site for security reasons, mainly for retarded bugs in IE that could attach VBScript to images.
Reply With Quote
  #37  
Old 04-21-2005, 06:39 PM
zetetic's Avatar
zetetic zetetic is offline
 
Join Date: Apr 2004
Posts: 338
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Brad.loo
Allowing html leads to javascript, or embeded flash .
I know. Some of my forum users have already posted some really cool stuff using javascript, embedded Flash, and other various applets. Some things that simply wouldn't be possible without HTML. I'm really looking forward to seeing what else they come up with.

Quote:
Such things can be powerful scripting tools and can take advanage of your users. With bbcode your server is in control of the code, with html on you depend on the end users machine which is always a bad thing when you are allowing users to pass said code to everyone!
Indeed. Hopefully our decision to limit HTML use to a select group of users and a continued policy of careful monitoring of the forum will prevent any possibly malicious users from causing any trouble.

Quote:
I wish you luck if you have enabled it, cause it won't be long..
A lot of people said exactly the same thing when I told them we didn't plan to moderate for content. For some crazy reason a lot of people seem to think the only possible way to run an Internet forum is like a fascist dictatorship. As I said earlier, though, we've been live a year and have a couple hundred regular, seemingly happy forum users. We're far from a huge forum, but we're not exactly struggling for visitors either.

The time may very well come that I have to disable HTML, make a bunch of strict rules and/or shut the forum down. But until then, I'm going to just keep doing what I think is best for the forum and my users. And at this time that means giving them features and not telling them what they can and cannot talk about.

Quote:
Originally Posted by filburt1
Using the built-in tags can only deceive the user at worst. HTML can take over your forums.
Hmm.. last time you said this I asked you exactly how someone could take over my forum using HTML, and you said they could steal my cookie and use it to login as me. But when I asked you to explain exactly how that's possible you said you don't like it when people argue with you. So are you going to tell me now exactly how someone can steal and use my cookies to take over my forum with HTML, or are you gonna get mad at me for asking again?

Quote:
Although I did disable the [img] tag at my site for security reasons, mainly for retarded bugs in IE that could attach VBScript to images.
Okay, well... if I felt that it was too much of a security risk to allow people to post images on my forum, I would take my forum offline. If all I wanted was a place for people to be able to chit chat in plaintext I'd start an IRC room.
Reply With Quote
  #38  
Old 05-04-2005, 10:23 AM
fashunphotog fashunphotog is offline
 
Join Date: Apr 2005
Location: US
Posts: 26
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by tmhall
What are the insanely high security risks in enabling HTML?
How about opening you up to unwanted litigation for a start? In today's litigious society if one of your clients/customers gets hacked and they manage to trace it back to your board you're wide open for repurcussions.

Don't be naive enough to think your users won't come after you... we had a software company a few years ago and almost got into trouble ourselves. One of our clients' customer's computers got hit with a virus and they tried to blame our software. After many emails back and forth to our duplication company and several onsite visits, I was able to prove that the virus in fact, came from one of their own employees who was bringing infected disks in from home. He had been hacked and didn't even realize he was causing (and re-causing, and re-re-causing, etc...) the problem!

If I hadn't overheard a conversation about it being the fifth time their systems had to be cleaned (four before they purchased our software), our software company would've been ruined.

I have to agree with the group - raw html is too dangerous!
Reply With Quote
  #39  
Old 05-04-2005, 01:48 PM
Princeton's Avatar
Princeton Princeton is offline
 
Join Date: Nov 2001
Location: Vineland, NJ
Posts: 6,693
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

tmhall,

actions are sometimes worth more then words..
post your url and a 'test' account
Reply With Quote
  #40  
Old 05-04-2005, 03:20 PM
Zero Tolerance's Avatar
Zero Tolerance Zero Tolerance is offline
 
Join Date: Feb 2004
Location: England
Posts: 813
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Enabling HTML for users? That's a bit insane, you know in IE 6 you can crash the browser in 7 characters (a bug with the <style> tag), but ofcourse the main vulnerability is JavaScript, where a script could easily execute to grab the cookie information, and post it through a hidden iframe to another website, or even make you go to your own profile and jack your user settings up, the possibilities are endless when it comes to it really.

If you want users to be given more powerful options, my suggestion is to create bbcodes via the acp.

- Zero Tolerance
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 11:22 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.07872 seconds
  • Memory Usage 2,264KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (9)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (3)pagenav_pagelink
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete