login | register | shoutbox

 What happened to the Messenger Plus! forums on msghelp.net?
Shoutbox » MsgHelp Archive » Skype & Technology » Tech Talk » (DO NOT CLICK OK!) I found a major security flaw in many boards

Pages: (3): « First « 1 [ 2 ] 3 » Last »
(DO NOT CLICK OK!) I found a major security flaw in many boards
Author: Message:
Millenium_edition
Veteran Member
*****

Avatar

Posts: 1787
Reputation: 57
Joined: Apr 2003
RE: (DO NOT CLICK OK!) I found a major security flaw in many boards
quote:
Originally posted by blade
<blacklist>
do you have any idea about how big the internet really is? ¬¬

edit: :$

This post was edited on 04-25-2005 at 07:06 PM by Millenium_edition.
ZOMG FREE WLM INVITES

VOTE ME FOR PRESIDENT
04-25-2005 07:03 PM
Profile E-Mail PM Find Quote Report
KeyStorm
Elite Member
*****

Avatar
Inn-sewer-ants-pollie-sea

Posts: 2156
Reputation: 45
38 / Male / –
Joined: Jan 2003
RE: (DO NOT CLICK OK!) I found a major security flaw in many boards
quote:
Originally posted by blade
Well some newbies could click "ok" and be redirected to the site's homepage or something. It's a very up-front way of someone advertising.


And it could be fixed by limiting the use of image tags to "gif" "jpeg" "jpg" "bmp" "png" or something like that (though that would mess with the random image scripts :dodgy:).

A very simple http-policy could redirect that internally (no aparent url change) to a script that could easily read everyithing you put into the fields. :rolleyes:

Care to say any try of tricking people into this should be considered as a try to hack the board and a permanent ban should be reasonable :P

This post was edited on 04-25-2005 at 07:06 PM by KeyStorm.
[Image: ?show=top]
[Image: ?show=bottom]
04-25-2005 07:05 PM
Profile E-Mail PM Web Find Quote Report
.blade//
Veteran Member
*****

Avatar

Posts: 2856
Reputation: 39
36 / Male / –
Joined: Jan 2004
O.P. RE: (DO NOT CLICK OK!) I found a major security flaw in many boards
quote:
Originally posted by KeyStorm
Care to say any try of tricking people into this should be considered as a try to hack the board and a permanent ban should be reasonable :P

Hahaha - good call.
[Image: A%20Pointy%20Rock.jpg]
04-25-2005 07:12 PM
Profile PM Web Find Quote Report
saralk
Veteran Member
*****

Avatar

Posts: 2598
Reputation: 38
35 / Male / Flag
Joined: Feb 2003
RE: (DO NOT CLICK OK!) I found a major security flaw in many boards
i guess it could be used in a very dodgy way, by making people think that they need to enter their username and password again. :dodgy:
The Artist Formerly Known As saralk
London · New York · Paris
Est. 1989
04-26-2005 05:35 PM
Profile PM Find Quote Report
WDZ
Former Admin
*****

Avatar

Posts: 7106
Reputation: 107
– / Male / Flag
Joined: Mar 2002
RE: (DO NOT CLICK OK!) I found a major security flaw in many boards
quote:
Originally posted by saralk
i guess it could be used in a very dodgy way, by making people think that they need to enter their username and password again. :dodgy:
Yeah, but at least the prompt tells you what server you'd be sending the data to. :-/ Of course, some people without much web knowledge/experience could be fooled.

We'll simply remove any image that requires a login, as there is no way to stop them from being used in the [img] tags.
04-26-2005 05:56 PM
Profile PM Web Find Quote Report
John Anderton
Elite Member
*****

Avatar

Posts: 3908
Reputation: 80
37 / Male / Flag
Joined: Nov 2004
Status: Away
RE: (DO NOT CLICK OK!) I found a major security flaw in many boards
quote:
Originally posted by WDZ
Click: http://shoutbox.menthix.net/images/auth.jpg
I have that exact same script .... well thats what i use to protect my private pic gallery :P
Whats a username and password that will actually work there dz ?
[

KarunAB.com]

[img]http://gamercards.exophase.com/459422.png[
/img]
04-26-2005 07:19 PM
Profile E-Mail PM Web Find Quote Report
KeyStorm
Elite Member
*****

Avatar
Inn-sewer-ants-pollie-sea

Posts: 2156
Reputation: 45
38 / Male / –
Joined: Jan 2003
RE: (DO NOT CLICK OK!) I found a major security flaw in many boards
quote:
Originally posted by WDZ
quote:
Originally posted by saralk
i guess it could be used in a very dodgy way, by making people think that they need to enter their username and password again. :dodgy:
Yeah, but at least the prompt tells you what server you'd be sending the data to. :-/ Of course, some people without much web knowledge/experience could be fooled.

We'll simply remove any image that requires a login, as there is no way to stop them from being used in the [img] tags.


Oh, noes, DZ, the Auth Realm can be freely set to anything you want. So there's no way to know where it comes from. Actually, you can't tell what image caused it, unless you try them separately.
[Image: ?show=top]
[Image: ?show=bottom]
04-26-2005 07:24 PM
Profile E-Mail PM Web Find Quote Report
WDZ
Former Admin
*****

Avatar

Posts: 7106
Reputation: 107
– / Male / Flag
Joined: Mar 2002
RE: (DO NOT CLICK OK!) I found a major security flaw in many boards
quote:
Originally posted by John Anderton
I have that exact same script
:lol: No you don't... it's just a standard HTTP login prompt.
quote:
Whats a username and password that will actually work there dz ?
There isn't one... it's only an example.
quote:
Originally posted by KeyStorm
Oh, noes, DZ, the Auth Realm can be freely set to anything you want.
Well, Opera shows me the server name (msghelp.net) in addition to the realm. Other browsers don't? :-/
04-26-2005 07:28 PM
Profile PM Web Find Quote Report
John Anderton
Elite Member
*****

Avatar

Posts: 3908
Reputation: 80
37 / Male / Flag
Joined: Nov 2004
Status: Away
RE: (DO NOT CLICK OK!) I found a major security flaw in many boards
quote:
Originally posted by WDZ
No you don't... it's just a standard HTTP login prompt.
I tht it was an acutal script :P I was too lazy to read the whole thread :-)
I was refering to a php script that asks u a name and pw and only access to a file in which it was included when both are correct.
quote:
Originally posted by WDZ
There isn't one... it's only an example.
Same answer as above ..... ur dodgy :P
quote:
Originally posted by WDZ
Well, Opera shows me the server name (msghelp.net) in addition to the realm. Other browsers don't? :-/
Firefox does :P It says
quote:
Originally posted by Dz's dodgy script (http login prompt)
Enter username and password for "Oh noes!!!" at http://shoutbox.menthix.net

And behind the page says :refuck:
U could have atleast taken the liberty of putting the actual image there :-/
<img src="http://shoutbox.menthix.net/images/smilies/refuck.gif" alt="Refuck Emote"></img>

* John Anderton is sleepy and just hopes there arent any typo's there ....
if there are correct em ur self ...
[

KarunAB.com]

[img]http://gamercards.exophase.com/459422.png[
/img]
04-26-2005 07:43 PM
Profile E-Mail PM Web Find Quote Report
KeyStorm
Elite Member
*****

Avatar
Inn-sewer-ants-pollie-sea

Posts: 2156
Reputation: 45
38 / Male / –
Joined: Jan 2003
RE: (DO NOT CLICK OK!) I found a major security flaw in many boards
Ok, instead of "Oh noes!!" put
code:
"Oh noes!!

"

or

code:
"Oh noes!!!                                "
[Image: ?show=top]
[Image: ?show=bottom]
04-26-2005 08:08 PM
Profile E-Mail PM Web Find Quote Report
Pages: (3): « First « 1 [ 2 ] 3 » Last »
« Next Oldest Return to Top Next Newest »


Threaded Mode | Linear Mode
View a Printable Version
Send this Thread to a Friend
Subscribe | Add to Favorites
Rate This Thread:

Forum Jump:

Forum Rules:
You cannot post new threads
You cannot post replies
You cannot post attachments
You can edit your posts 		HTML is Off
myCode is On
Smilies are On
[img] Code is On