What happened to the Messenger Plus! forums on msghelp.net?
Shoutbox » MsgHelp Archive » Skype & Technology » Tech Talk » (DO NOT CLICK OK!) I found a major security flaw in many boards

Pages: (3): « First [ 1 ] 2 3 » Last »
(DO NOT CLICK OK!) I found a major security flaw in many boards
Author: Message:
.blade//
Veteran Member
*****

Avatar

Posts: 2856
Reputation: 39
36 / Male / –
Joined: Jan 2004
O.P. (DO NOT CLICK OK!) I found a major security flaw in many boards
Well I was using the official Playstation forums and someone asked me how to put an image in their signature.

I told them to use (yes - the PS forums allow html):
<img src="http://www.externalserver.com/folder/image.extension">


He, being a newbie, thought I meant to use that EXACT code. He put it in and now a java pop-up appears whenever a page with that tag is viewed :lol:.

It appears to work here, too, using the [img] tags.
[img]http://www.externalserver.com/folder/image.extension[/img] (Edited by WDZ)


This has been test on:
Lithium (PS forums)
Mybb (these forums).



WDZ - if you get a chance you might want to fix this on the Plus! forums :rolleyes:
Chris Boulton - you may want to fix this for everyone else.

This post was edited on 04-25-2005 at 06:39 PM by WDZ.
[Image: A%20Pointy%20Rock.jpg]
04-25-2005 06:34 PM
Profile PM Web Find Quote Report
WDZ
Former Admin
*****

Avatar

Posts: 7106
Reputation: 107
– / Male / Flag
Joined: Mar 2002
RE: (DO NOT CLICK OK!) I found a major security flaw in many boards
quote:
Originally posted by blade
He put it in and now a java pop-up appears whenever a page with that tag is viewed
Uhh... it just looks like a standard HTTP login prompt... not that unusual... I've seen it here a number of times. The mods just remove any image that requires a login.

There's really no way to prevent such images from being linked to.
04-25-2005 06:38 PM
Profile PM Web Find Quote Report
KeyStorm
Elite Member
*****

Avatar
Inn-sewer-ants-pollie-sea

Posts: 2156
Reputation: 45
38 / Male / –
Joined: Jan 2003
RE: (DO NOT CLICK OK!) I found a major security flaw in many boards
I think this is somewhat impossible to fix. However this does not cause any harm (I think), but some annoying. :^)

Edit: Ok, unless it says, you need to log in to the board again :P

/sdoh

This post was edited on 04-25-2005 at 06:40 PM by KeyStorm.
04-25-2005 06:39 PM
Profile E-Mail PM Web Find Quote Report
.blade//
Veteran Member
*****

Avatar

Posts: 2856
Reputation: 39
36 / Male / –
Joined: Jan 2004
O.P. RE: (DO NOT CLICK OK!) I found a major security flaw in many boards
Well some newbies could click "ok" and be redirected to the site's homepage or something. It's a very up-front way of someone advertising.


And it could be fixed by limiting the use of image tags to "gif" "jpeg" "jpg" "bmp" "png" or something like that (though that would mess with the random image scripts :dodgy:).
[Image: A%20Pointy%20Rock.jpg]
04-25-2005 06:42 PM
Profile PM Web Find Quote Report
Millenium_edition
Veteran Member
*****

Avatar

Posts: 1787
Reputation: 57
Joined: Apr 2003
RE: (DO NOT CLICK OK!) I found a major security flaw in many boards
quote:
Originally posted by blade
And it could be fixed by limiting the use of image tags to "gif" "jpeg" "jpg" "bmp" "png" or something like that (though that would mess with the random image scripts :dodgy:).
actually, it can't... if you need permission to view those, that popup will also appear.
04-25-2005 06:46 PM
Profile E-Mail PM Find Quote Report
Anubis
Elite Member
*****

Avatar
42

Posts: 2695
Reputation: 64
34 / Male / Flag
Joined: Oct 2003
RE: (DO NOT CLICK OK!) I found a major security flaw in many boards
quote:
Originally posted by blade

And it could be fixed by limiting the use of image tags to "gif" "jpeg" "jpg" "bmp" "png" or something like that
They still need login :/

quote:
Originally posted by WDZ

There's really no way to prevent such images from being linked to.
Apart from the obvious sniffing any provider that does them out and banning hotlinking to their site from here, wouldn't work though, one would always be missed, although it could act as "damage limitation" and decrease the odds of it happening
[Image: anubis5hq.png]
04-25-2005 06:48 PM
Profile PM Find Quote Report
WDZ
Former Admin
*****

Avatar

Posts: 7106
Reputation: 107
– / Male / Flag
Joined: Mar 2002
RE: (DO NOT CLICK OK!) I found a major security flaw in many boards
quote:
Originally posted by blade
And it could be fixed by limiting the use of image tags to "gif" "jpeg" "jpg" "bmp" "png" or something like that (though that would mess with the random image scripts :dodgy:).
Uhhm... no.

Click: http://shoutbox.menthix.net/images/auth.jpg

:p
04-25-2005 06:49 PM
Profile PM Web Find Quote Report
.blade//
Veteran Member
*****

Avatar

Posts: 2856
Reputation: 39
36 / Male / –
Joined: Jan 2004
O.P. RE: (DO NOT CLICK OK!) I found a major security flaw in many boards
quote:
Originally posted by WDZ
quote:
Originally posted by blade
And it could be fixed by limiting the use of image tags to "gif" "jpeg" "jpg" "bmp" "png" or something like that (though that would mess with the random image scripts :dodgy:).
Uhhm... no.

Click: http://shoutbox.menthix.net/images/auth.jpg

:p


Well it's your choice I guess :-/
And ya - I forgot about protected images :dodgy:

(and :refuck: 2u2)

This post was edited on 04-25-2005 at 06:50 PM by .blade//.
[Image: A%20Pointy%20Rock.jpg]
04-25-2005 06:49 PM
Profile PM Web Find Quote Report
Anubis
Elite Member
*****

Avatar
42

Posts: 2695
Reputation: 64
34 / Male / Flag
Joined: Oct 2003
RE: (DO NOT CLICK OK!) I found a major security flaw in many boards
quote:
Originally posted by blade

Well it's your choice I guess

He said "Uhhm...No" because it wouldn't work, not because it's his choice.
You need authorisation for the server, and any file on the server. Doesn't matter if it's a .exe or .gif. You need a username and password
[Image: anubis5hq.png]
04-25-2005 06:53 PM
Profile PM Find Quote Report
.blade//
Veteran Member
*****

Avatar

Posts: 2856
Reputation: 39
36 / Male / –
Joined: Jan 2004
O.P. RE: (DO NOT CLICK OK!) I found a major security flaw in many boards
quote:
Originally posted by Anubis

He said "Uhhm...No" because it wouldn't work, not because it's his choice.

I know, but there are other things he could do :P (blacklist servers for one)


quote:
Originally posted by Anubis

You need authorisation for the server, and any file on the server. Doesn't matter if it's a .exe or .gif. You need a username and password

I know - I forgot :P
[Image: A%20Pointy%20Rock.jpg]
04-25-2005 06:55 PM
Profile PM Web Find Quote Report
Pages: (3): « First [ 1 ] 2 3 » Last »
« Next Oldest Return to Top Next Newest »


Threaded Mode | Linear Mode
View a Printable Version
Send this Thread to a Friend
Subscribe | Add to Favorites
Rate This Thread:

Forum Jump:

Forum Rules:
You cannot post new threads
You cannot post replies
You cannot post attachments
You can edit your posts
HTML is Off
myCode is On
Smilies are On
[img] Code is On