Go Back   vb.org Archive > Community Central > Community Lounge
Reload this Page vBulletin Forums and User Accounts being exploited
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 05-03-2007, 06:27 PM
GoTTi GoTTi is offline
 
Join Date: Jun 2002
Posts: 1,346
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default vBulletin Forums and User Accounts being exploited
vbulletin staff please send out a security bulletin regarding this issue.

What is happening:
A user is posting a thread or reply with a image that on mouseover, records the users cookie onto a .php file page, which is printing out the data to a .txt file. The data being recorded is the cookie information of the user mousing over the image. When the user does the mouseover on the image, the image will disappear, when that happens, the cookie information is recorded to the external site.

This makes it easy for someone to login as another user, including admins. all the exploiter has to do is edit their cookie file, save it, and visit the site and they are logged in as the user. Admins need to be careful....

This has happened to only 2 forums i know of right now, including mine.

After reading the code in the thread that the user posted, its being done using HTML. now, we are always told to disable HTML on our forums, but LOTS of people use it because its a handy tool for users on our forums to play with.

so i guess the only fix, besides disabling the HTML on your forums, is to censor out these keywords that are needed for the recording of the cookie data:

Quote:
onMouseover="document.sam.src=
+document.cookie;">
i believe censoring out these keywords will work and help protect our forums


Note: im not sure if "document.sam.src=" is needed to be censored. i think just censoring onMouseover is good enough...
Reply With Quote
  #2  
Old 05-03-2007, 06:40 PM
EnIgMa1234 EnIgMa1234 is offline
 
Join Date: Mar 2006
Location: .:: Ireland ::.
Posts: 1,306
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
eh thats why vbulletin asks you not to enable html. simple solution reallly
Reply With Quote
  #3  
Old 05-03-2007, 06:52 PM
nexialys
Guest
  
Posts: n/a
Default
like Enigma just said... most forum softwares now disable HTML in posts...

so if you've been fool enough to activate it on a large public website, you now learn your lesson.
Reply With Quote
  #4  
Old 05-03-2007, 07:19 PM
Distance's Avatar
Distance Distance is offline
 
Join Date: Jul 2006
Location: Boston, Uk
Posts: 725
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Enabling HTML is a foolish thing to do.
Reply With Quote
  #5  
Old 05-03-2007, 08:03 PM
GoTTi GoTTi is offline
 
Join Date: Jun 2002
Posts: 1,346
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
where is the option to enable or disable html in the admincp anyways?
Reply With Quote
  #6  
Old 05-03-2007, 08:09 PM
rjmjr69's Avatar
rjmjr69 rjmjr69 is offline
 
Join Date: Jan 2007
Location: Southie
Posts: 876
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Interesting cause this is also happening with MySpace..........
Reply With Quote
  #7  
Old 05-03-2007, 10:05 PM
kall's Avatar
kall kall is offline
 
Join Date: Apr 2004
Location: New Zealand
Posts: 2,608
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by GoTTi View Post
where is the option to enable or disable html in the admincp anyways?
It's a per-forum setting.

Unless you have installed my modification which makes it a per-usergroup setting.

Anyone who has enabled that for non-admins is a tad on the silly side, IMO.
Reply With Quote
  #8  
Old 05-04-2007, 04:00 AM
Ntfu2 Ntfu2 is offline
 
Join Date: Feb 2006
Posts: 1,247
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by kall View Post

Anyone who has enabled that for non-admins is a tad on the silly side, IMO.
Must have to be nice


Personally, i think your flippin crazy to have it enabled any where.
Reply With Quote
  #9  
Old 05-04-2007, 04:20 AM
kall's Avatar
kall kall is offline
 
Join Date: Apr 2004
Location: New Zealand
Posts: 2,608
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by Ntfu2 View Post
Must have to be nice


Personally, i think your flippin crazy to have it enabled any where.
Well, true.

There is the odd time where I totally forget, and post dodgy cookie-stealing code on my site.
Reply With Quote
Reply

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT. The time now is 09:05 PM.

Contact Us - Archive - Top

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.12106 seconds
  • Memory Usage 2,234KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (4)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (9)post_thanks_box
  • (9)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (9)post_thanks_postbit_info
  • (9)postbit
  • (8)postbit_onlinestatus
  • (9)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 
Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete