The Arcive of Official vBulletin Modifications Site.

cinq · #31 04-21-2005, 01:20 PM

Quote:

Originally Posted by tmhall

If you want me to believe that enabling HTML is an insanely high security risk, you're going to have to prove it.

Why not enable HTML in your forums and tell us your forum's URL and maybe some will give it a go, just for sh1ts and giggles, to prove it

zetetic · #32 04-21-2005, 03:49 PM

Quote:

Originally Posted by cinq

Why not enable HTML in your forums and tell us your forum's URL and maybe some will give it a go, just for sh1ts and giggles, to prove it

I don't need proof that people can put malicious code into sigs and posts, I already know that.

The question is whether the risks are so high that I need to completely disable HTML for all my forum members no matter what, and I don't believe they are. Unless you only visit completely secure, password protected websites anytime you go anywhere on the Internet you open yourself up to the possibility of malicious code. The only way to be 100% safe is to unplug your Internet connection now. Are you gonna do that?

filburt1 · #33 04-21-2005, 05:38 PM

I think you're missing the point. HTML is a known security vulnerability. No other part of vB is. By your logic, you're 50% secure by disabling HTML and 100% with no connection, when in fact it is more like 99.9% secure without HTML and 100% with no connection.

Brad · #34 04-21-2005, 06:23 PM

Allowing html leads to javascript, or embeded flash

. Such things can be powerful scripting tools and can take advanage of your users. With bbcode your server is in control of the code, with html on you depend on the end users machine which is always a bad thing when you are allowing users to pass said code to everyone!

I wish you luck if you have enabled it, cause it won't be long..

zetetic · #35 04-21-2005, 06:30 PM

Have you ever seen The Godfather?

"I keep tryin' to get out, but they keep pullin' me back in!"

Quote:

Originally Posted by filburt1

I think you're missing the point. HTML is a known security vulnerability. No other part of vB is. By your logic, you're 50% secure by disabling HTML and 100% with no connection, when in fact it is more like 99.9% secure without HTML and 100% with no connection.

Actually, no. That's not my logic at all. I have never once said anything about disabling HTML providing only 50% security, I've only said that the only way to protect yourself 100% from encountering malicious code on the Internet is to disconnect your computer from the Internet. That's just a truism.

Here's a question for you: Is it or is it not true that a malicious person could use the IMG and/or URL vBcodes to trick you into going to a porn or warez site, or any other site where you may encounter malicious code?

If yes, then do you believe that allowing the use of the IMG and URL vBcodes is a security risk and that they should never be enabled for any reason? Why or why not?

filburt1 · #36 04-21-2005, 06:33 PM

Using the built-in tags can only deceive the user at worst. HTML can take over your forums.

Although I did disable the [img] tag at my site for security reasons, mainly for retarded bugs in IE that could attach VBScript to images.

zetetic · #37 04-21-2005, 06:39 PM

Quote:

Originally Posted by Brad.loo

Allowing html leads to javascript, or embeded flash

.

I know. Some of my forum users have already posted some really cool stuff using javascript, embedded Flash, and other various applets. Some things that simply wouldn't be possible without HTML. I'm really looking forward to seeing what else they come up with.

Quote:

Such things can be powerful scripting tools and can take advanage of your users. With bbcode your server is in control of the code, with html on you depend on the end users machine which is always a bad thing when you are allowing users to pass said code to everyone!

Indeed. Hopefully our decision to limit HTML use to a select group of users and a continued policy of careful monitoring of the forum will prevent any possibly malicious users from causing any trouble.

Quote:

I wish you luck if you have enabled it, cause it won't be long..

A lot of people said exactly the same thing when I told them we didn't plan to moderate for content. For some crazy reason a lot of people seem to think the only possible way to run an Internet forum is like a fascist dictatorship. As I said earlier, though, we've been live a year and have a couple hundred regular, seemingly happy forum users. We're far from a huge forum, but we're not exactly struggling for visitors either.

The time may very well come that I have to disable HTML, make a bunch of strict rules and/or shut the forum down. But until then, I'm going to just keep doing what I think is best for the forum and my users. And at this time that means giving them features and not telling them what they can and cannot talk about.

Quote:

Originally Posted by filburt1

Using the built-in tags can only deceive the user at worst. HTML can take over your forums.

Hmm.. last time you said this I asked you exactly how someone could take over my forum using HTML, and you said they could steal my cookie and use it to login as me. But when I asked you to explain exactly how that's possible you said you don't like it when people argue with you. So are you going to tell me now exactly how someone can steal and use my cookies to take over my forum with HTML, or are you gonna get mad at me for asking again?

Quote:

Although I did disable the [img] tag at my site for security reasons, mainly for retarded bugs in IE that could attach VBScript to images.

Okay, well... if I felt that it was too much of a security risk to allow people to post images on my forum, I would take my forum offline. If all I wanted was a place for people to be able to chit chat in plaintext I'd start an IRC room.

fashunphotog · #38 05-04-2005, 10:23 AM

Quote:

Originally Posted by tmhall

What are the insanely high security risks in enabling HTML?

How about opening you up to unwanted litigation for a start? In today's litigious society if one of your clients/customers gets hacked and they manage to trace it back to your board you're wide open for repurcussions.

Don't be naive enough to think your users won't come after you... we had a software company a few years ago and almost got into trouble ourselves. One of our clients' customer's computers got hit with a virus and they tried to blame our software. After many emails back and forth to our duplication company and several onsite visits, I was able to prove that the virus in fact, came from one of their own employees who was bringing infected disks in from home. He had been hacked and didn't even realize he was causing (and re-causing, and re-re-causing, etc...) the problem!

If I hadn't overheard a conversation about it being the fifth time their systems had to be cleaned (four before they purchased our software), our software company would've been ruined.

I have to agree with the group - raw html is too dangerous!

Princeton · #39 05-04-2005, 01:48 PM

tmhall,

actions are sometimes worth more then words..
post your url and a 'test' account

Zero Tolerance · #40 05-04-2005, 03:20 PM

Enabling HTML for users? That's a bit insane, you know in IE 6 you can crash the browser in 7 characters (a bug with the <style> tag), but ofcourse the main vulnerability is JavaScript, where a script could easily execute to grab the cookie information, and post it through a hidden iframe to another website, or even make you go to your own profile and jack your user settings up, the possibilities are endless when it comes to it really.

If you want users to be given more powerful options, my suggestion is to create bbcodes via the acp.

- Zero Tolerance

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.04332 seconds Memory Usage 2,268KB Queries Executed 11 (?)
More Information
Template Usage: (1)SHOWTHREAD (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)ad_showthread_beforeqr (1)ad_showthread_firstpost (1)ad_showthread_firstpost_sig (1)ad_showthread_firstpost_start (9)bbcode_quote (1)footer (1)forumjump (1)forumrules (1)gobutton (1)header (1)headinclude (1)navbar (3)navbar_link (120)option (1)pagenav (1)pagenav_curpage (3)pagenav_pagelink (10)post_thanks_box (10)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (10)post_thanks_postbit_info (10)postbit (10)postbit_onlinestatus (10)postbit_wrapper (1)spacer_close (1)spacer_open (1)tagbit_wrapper Phrase Groups Available: global inlinemod postbit posting reputationlevel showthread	Included Files: ./showthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showthread_start showthread_getinfo forumjump showthread_post_start showthread_query_postids showthread_query bbcode_fetch_tags bbcode_create showthread_postbit_create postbit_factory postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end fetch_musername postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start pagenav_page pagenav_complete tag_fetchbit_complete forumrules navbits navbits_complete showthread_complete
Messages:

The Arcive of Official vBulletin Modifications Site.

It is not a VB3 engine, just a parsed copy!