Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 Programming Discussions
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #11  
Old 04-20-2005, 02:01 AM
filburt1 filburt1 is offline
 
Join Date: Feb 2002
Location: Maryland, US
Posts: 6,144
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Never, ever, ever allow HTML. There is no such thing as a trusted user, and hell no such a thing as a trusted usergroup. There is absolutely no advantage in HTML that is worth the insanely high security risks. Don't allow it anywhere.
Reply With Quote
  #12  
Old 04-20-2005, 02:28 AM
noppid noppid is offline
 
Join Date: Mar 2003
Location: Florida
Posts: 1,875
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Make vB codes for all the HTML you want to allow and make the kiddie scripters use them instead. That should give YOU control and the dynamics you want.

However....Good Luck!
Reply With Quote
  #13  
Old 04-20-2005, 02:29 AM
zetetic's Avatar
zetetic zetetic is offline
 
Join Date: Apr 2004
Posts: 338
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by filburt1
Never, ever, ever allow HTML. There is no such thing as a trusted user, and hell no such a thing as a trusted usergroup. There is absolutely no advantage in HTML that is worth the insanely high security risks. Don't allow it anywhere.
What are the insanely high security risks in enabling HTML? The worst I've heard is that someone could swipe cookies and get my users md5 hashed passwords then try a brute force attack to crack them. But I guarantee my admin password isn't going to get cracked like that, and if it happened to some of my users--while it would be very bad in terms of violating their privacy--I certainly wouldn't call that an insanely high security risk.

What other specific risks do you have in mind?
Reply With Quote
  #14  
Old 04-20-2005, 02:57 AM
filburt1 filburt1 is offline
 
Join Date: Feb 2002
Location: Maryland, US
Posts: 6,144
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by tmhall
What are the insanely high security risks in enabling HTML? The worst I've heard is that someone could swipe cookies and get my users md5 hashed passwords then try a brute force attack to crack them. But I guarantee my admin password isn't going to get cracked like that, and if it happened to some of my users--while it would be very bad in terms of violating their privacy--I certainly wouldn't call that an insanely high security risk.

What other specific risks do you have in mind?
They can still send those hashes to the server to simulate a logon. You can never guarantee that a password won't get "cracked"--in fact, passwords are notorious for being a horrible means of securing any system given it doesn't really verify that the user in question is who he claims to be.

Hell, for all you know, they could use the HTML in conjunction with some Javascript to fake a login form that redirects to their site, then they can steal your username and password in plain text. They can redirect to their own site for a request to that page. They can use CSS to restyle everything on the page. The list is seemingly endless.

With the exception of tables and more complex multiple argument HTML tags, there is nothing in HTML that can't be safely reproduced in vB code tags.

There is a reason that the only bolded text that I've encountered in a setting description in vB is to never enable HTML.
Reply With Quote
  #15  
Old 04-20-2005, 03:23 AM
Brad Brad is offline
 
Join Date: Nov 2001
Posts: 4,765
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

IMHO they should just go ahead and remove html support all togther. Its a legacy feture really, back in the old days we had to use html because we diden't have bbcode (this is a time way before vB).

There is no reason to turn it on, like other have said, if you enable it you have to limit it which defeats the entire purpose of enabling it. Like filburt1 said, reproduce any html commands you need with bbcode.
Reply With Quote
  #16  
Old 04-20-2005, 03:35 AM
zetetic's Avatar
zetetic zetetic is offline
 
Join Date: Apr 2004
Posts: 338
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by filburt1
They can still send those hashes to the server to simulate a logon. You can never guarantee that a password won't get "cracked"--in fact, passwords are notorious for being a horrible means of securing any system given it doesn't really verify that the user in question is who he claims to be.
Okay let's take a step back here first. Do you know exactly how someone can steal cookies using HTML on my forum? And if they can, are you saying that they can somehow use that cookie to login to the forum as me without cracking the password?

Quote:
Hell, for all you know, they could use the HTML in conjunction with some Javascript to fake a login form that redirects to their site, then they can steal your username and password in plain text.
But they can't fake a login form that's going to trick me. I mean I know vBulletin doesn't ever pop up a login window, so it's not like I'm going to forget that and type in my login name and pw. Granted some of my users might fall for that, but then again I'm not as worried about my users accounts being compromised as I am my own. Which is to say if someone was harvesting my users login info that way I would find out about it fast and stop it. But if someone got into my account they could actually do some serious damage.

Quote:
They can redirect to their own site for a request to that page.
I don't think a redirect is an insane security risk though.

Quote:
They can use CSS to restyle everything on the page. The list is seemingly endless.
They can? I'll have to do some testing but that doesn't seem possible.

Quote:
With the exception of tables and more complex multiple argument HTML tags, there is nothing in HTML that can't be safely reproduced in vB code tags.
HTML is a huge specification with a million features and functions that vB code tags can't do. Granted the average forum user would never use any of it, but when you have professional web designers using your site they prefer to have the power and flexibility of HTML.

Quote:
There is a reason that the only bolded text that I've encountered in a setting description in vB is to never enable HTML.
Is there a reason they don't just remove the setting?

Don't get me wrong, I'm far from an expert on vBulletin, or HTML and I'm not just trying to mess with you here. It's just that in the last year I've been lurking around here I've yet to read any concrete, specific security threats of enabling HTML. And I'm just not one to strip down the software functionality unnecessarily. If someone tells me to disable a feature of the software I want to know exactly why I should.
Reply With Quote
  #17  
Old 04-20-2005, 04:24 AM
filburt1 filburt1 is offline
 
Join Date: Feb 2002
Location: Maryland, US
Posts: 6,144
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

No offense, but don't just quote every sentence I say and dispute it. It annoys the hell out of me when people do that. Remember, nothing personal.

I will sum up my statement with the following indisputable fact that any experienced vBulletin administrator or developer will echo:

There is no safe way to enable HTML, and the benefits of enabling it are obliterated by the onslaught of security vulnerabilities it introduces.

I partially agree with Brad in that it probably shouldn't have been implemented for this exact reason, but I also have my own private opinion on that.
Reply With Quote
  #18  
Old 04-20-2005, 01:09 PM
zetetic's Avatar
zetetic zetetic is offline
 
Join Date: Apr 2004
Posts: 338
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by filburt1
No offense, but don't just quote every sentence I say and dispute it. It annoys the hell out of me when people do that. Remember, nothing personal.

I will sum up my statement with the following indisputable fact that any experienced vBulletin administrator or developer will echo:

There is no safe way to enable HTML, and the benefits of enabling it are obliterated by the onslaught of security vulnerabilities it introduces.

I partially agree with Brad in that it probably shouldn't have been implemented for this exact reason, but I also have my own private opinion on that.
Well nothing personal but it annoys the hell out of me when people tell me that actually using one of the features of software that I paid for is an insanely high security risk, but then can't tell me exactly what the risks are. I'm sorry that I'm not a person who just believes whatever I'm told without question, it's a personal problem I have. If you want me to believe that enabling HTML is an insanely high security risk, you're going to have to prove it.

I have seen no proof anywhere that enabling HTML brings an "onslaught of security vulernabilities", and if it does then Jelsoft should release an emergency upgrade that disables the HTML functionality entirely. Since they haven't done that, I'm going to conclude that the risks are exactly what I think they are: Not significantly more than not enabling HTML. People can use IMG and URL vBcodes to trick you into going to a site mimicking yours and then harvest your username and password that way. Does that make the IMG and URL tags an insanely high security risk?

Lastly, I started this thread to discuss an issue with HTML coding. Only about two people have actually responded to the question in the opening post while a dozen of you have chimed in to insist that I not enable HTML. If I am allowed to post HTML questions here, I would prefer it if people who don't have an answer for my questions, like yourself, not derail my thread. I know everyone here means well, but I'm not a 12 yr. old n00b. I don't need anyone to hold my hand here.

However, if you are telling me that I am not allowed to question whether HTML is really a huge security risk, discuss HTML coding on this forum and/or that you intend to post on every such thread with scaremongering about HTML use, then that's fine. I will stop posting here. Just let me know. But don't expect me to just take your (or anyone's) word on things that you can't actually prove.
Reply With Quote
  #19  
Old 04-20-2005, 01:47 PM
filburt1 filburt1 is offline
 
Join Date: Feb 2002
Location: Maryland, US
Posts: 6,144
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

It's listed right in the admin CP that it's dangerous! If you do not wish to accept my numerous examples of what the use of HTML can lead to, I suggest submitting a ticket at vB.com asking what they recommend. You will receive the same answer: do not enable it.
Reply With Quote
  #20  
Old 04-20-2005, 02:16 PM
Zachery's Avatar
Zachery Zachery is offline
 
Join Date: Jul 2002
Location: Ontario, Canada
Posts: 11,440
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by tmhall
Well nothing personal but it annoys the hell out of me when people tell me that actually using one of the features of software that I paid for is an insanely high security risk, but then can't tell me exactly what the risks are. I'm sorry that I'm not a person who just believes whatever I'm told without question, it's a personal problem I have. If you want me to believe that enabling HTML is an insanely high security risk, you're going to have to prove it.

I have seen no proof anywhere that enabling HTML brings an "onslaught of security vulernabilities", and if it does then Jelsoft should release an emergency upgrade that disables the HTML functionality entirely. Since they haven't done that, I'm going to conclude that the risks are exactly what I think they are: Not significantly more than not enabling HTML. People can use IMG and URL vBcodes to trick you into going to a site mimicking yours and then harvest your username and password that way. Does that make the IMG and URL tags an insanely high security risk?

Lastly, I started this thread to discuss an issue with HTML coding. Only about two people have actually responded to the question in the opening post while a dozen of you have chimed in to insist that I not enable HTML. If I am allowed to post HTML questions here, I would prefer it if people who don't have an answer for my questions, like yourself, not derail my thread. I know everyone here means well, but I'm not a 12 yr. old n00b. I don't need anyone to hold my hand here.

However, if you are telling me that I am not allowed to question whether HTML is really a huge security risk, discuss HTML coding on this forum and/or that you intend to post on every such thread with scaremongering about HTML use, then that's fine. I will stop posting here. Just let me know. But don't expect me to just take your (or anyone's) word on things that you can't actually prove.
I've seen allowing html:

Crash the users browsers while they browse forums, redirect to whole new websites with ads and popups, steal cookies and allow users to take over said forum, screw up designs, use said stolen info to take over other things like email accounts ect.

It has NEVER been wise to do so. and everytime one of the other admins allows html on a forum I run I go turn it off. and then rant and rave to them about how its bad, but they re-enable it, and a week later the forums are crashing because someone put some nifty javascript in their singnature and its crashing everyones browsers.
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 05:53 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04486 seconds
  • Memory Usage 2,286KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (10)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (3)pagenav_pagelink
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete