The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
|
Cookie Stuffing Detector [Inside- What is Cookie Stuffing and Why you Should Care] Details »» | ||||||||||||||||||||||||||||
Cookie Stuffing Detector [Inside- What is Cookie Stuffing and Why you Should Care]
Developer Last Online: Jan 2018
This modification will help protect your boards against cookie stuffing scams.
What is Cookie Stuffing From Wikipedia: Quote:
There are several techniques for cookie stuffing, one of which works on most vBulletin forums. I'll put the following in code tags so only licensed vB owners can read it. Code:
A user can add an [img] bbcode in a post and put an affiliate page as the URL. That's all it takes to plant a cookie with their affiliate tracking code on the computers of everyone who views that post. What this mod does Code:
This modification inserts some Javascript on each thread page when a moderator or admin is viewing the thread. This Javascript counts how many [IMG] tags are in each post, and then tries to check if a given image is a valid image. If there is a mismatch, it will display a warning message at the top of the post alerting the mod/admin to the fact. There is the possibility of false positives if an image takes an inordinate amount of time to load. If you want to check for that possibility, there is a "recheck" link in the message, whereby you can recheck the images in that post. Import the product XML file in your Product Manager, then visit the Options group "Cookie Stuffing Detector Options". After installation, you can check if this is working by creating a post and .... Code:
including an image with an invalid URL, such as: [img]http://example.com/adslkdfaslkjdsfkjldfsakjlsdfakj/[/img] which should show up as a cookie stuffing attempt. I am planning to expand this mod to:
Tested in... (on Windows XP)
Show Your Support
|
Comments |
#2
|
||||
|
||||
awesome stuff.
I heard about the cookie stuffing issues at DP and ebay. Good to see, there is a way to protect ourselves! thanks a bunch. |
#3
|
|||
|
|||
This only works on bbcode that has a non image as image.
But you can use any image remotely hosted in the img tag and that img can be forced to be executed as a php file. The remote image is actually php code that sets a cookie with the affiliate code, and then sets the mime via header and returns a real image. example: The img above is http://floris.vbulletin.com/stuff/vborgtest.jpg[/img] which is actually a php file that sets a cookie for floris.vbcom with user 'vborgtest' hence: stuffing. This plugin doesn't seem to check for real cookie stuffing, unless I am mistaken? |
#4
|
||||
|
||||
Right, except that's not really what we're talking about since there is no monetary gain in that.
Code:
The cookie stuffing we are talking about is for example: Say I have a Commission Junction account and am an affiliate for eBay. For me to get paid, I have to send people to http://www.ebay.com?affiliateid=12345 When someone visits that URL, an ebay.com cookie is set on their machine. Then if they sign up/ make a purchase etc within 60 days then I get a commission. You can't set an ebay.com cookie from floris.vbulletin.com You could have floris.vbulletin.com/stuff/vborgtest.jpg be a php script that redirects with a 301 redirect to ebay.com?affiliateid=12345 but then my Javascript would still catch that, since it's not a valid image. Cookie stuffing works because even though the image isn't valid and isn't displayed, the headers that are received get acted upon by the browser, setting a cookie. The only two ways of stuffing affiliate cookies is via an iframe or via an image that references the target affiliate site. These of course can be obfuscated using javascript tricks. The only vulnerability for vBulletin is the [IMG] code, assuming that you don't have html turned on. |
#5
|
||||
|
||||
Thanks..
Installed on 3.7.3 and when I checked "Print debug output" I can't browse to any thread.. IE7 loads the thread then I get a notice can't find the page and I go to 404 I used Google Chrome and its fine and see at the buttom it says 6 of 6 posts on this page checked for cookie stuffing but why IE stuffed with the setting? Thanks |
#6
|
||||
|
||||
so it just can happen if User post an image using [img] tag and that image has url ?!!
|
#7
|
||||
|
||||
Gonna keep an eye on this one
|
#8
|
||||
|
||||
Quote:
My reply is in [code] tags so that only license holders can see it. Code:
A user can force cookies on all your visitors by linking to their affiliate page using the [img] tags. No image will appear in the post obviously. |
#9
|
||||
|
||||
|
#10
|
||||
|
||||
This sounds good, and I'm considering installing it, but one question... wouldn't this flag up vBulletin album images because the image format is something like picture.php?id= or something?
|
|
|
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
More Information | |
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|