|
|
Joined: Jun 2001
Posts: 2,849
Spotlight Winner
|
Spotlight Winner
Joined: Jun 2001
Posts: 2,849 |
If HTML is enabled, this can grab your cookie. At least on 6.1.0.4
[code snipped by CC]
|
|
|
|
Joined: Mar 2002
Posts: 8
Junior Member
|
Junior Member
Joined: Mar 2002
Posts: 8 |
just one of the many many ways you can do things like that even with html OFF you can steal cookies, in ANY version.
|
|
|
|
Joined: Dec 2000
Posts: 371
Member
|
Member
Joined: Dec 2000
Posts: 371 |
maybe there is a way to let the ubb set scrambled cookies? Unrecognizable cookies, yeah.
|
|
|
|
Joined: Mar 2002
Posts: 8
Junior Member
|
Junior Member
Joined: Mar 2002
Posts: 8 |
quote: Originally posted by Variables: maybe there is a way to let the ubb set scrambled cookies? Unrecognizable cookies, yeah.
even then u could still hack up your cookie dir and edit them md5("$pass$ip") should be safe
|
|
|
|
Joined: Jun 2001
Posts: 2,849
Spotlight Winner
|
Spotlight Winner
Joined: Jun 2001
Posts: 2,849 |
These exploits have been known for some time...I would love to see a better fix for them.
|
|
|
|
Joined: Mar 2002
Posts: 8
Junior Member
|
Junior Member
Joined: Mar 2002
Posts: 8 |
use VBB
|
|
|
|
Joined: Dec 2001
Posts: 699
Member
|
Member
Joined: Dec 2001
Posts: 699 |
Erm...
**WAS A URL BUT I EDITED IT...**
vB isn't immune...
|
|
|
|
Joined: Jun 2001
Posts: 2,849
Spotlight Winner
|
Spotlight Winner
Joined: Jun 2001
Posts: 2,849 |
quote: Originally posted by BlackTyranitar: use VBB
I'm sure that there are plenty of places that your humor is appreciated, but this isn't one of them. I'm talking about a real issue here and I would appreciate you either staying on topic or posting in a different thread.
|
|
|
|
Joined: Jun 2001
Posts: 2,849
Spotlight Winner
|
Spotlight Winner
Joined: Jun 2001
Posts: 2,849 |
A read through this thread may be enlightening to some of you...
[url snipped by CC]
|
|
|
|
Joined: Jan 2000
Posts: 5,073
Admin Emeritus
|
Admin Emeritus
Joined: Jan 2000
Posts: 5,073 |
This is why HTML is dangerous, why the check_html routine is designed to do what it does, why we ALWAYS tell people to keep their versions up to date (6.2.1.1 catches this, and 6.3 does an even more careful job), and why we always tell people to keep HTML off.
If you are going to take a risk and turn HTML on, you will open yourself to things like this.
I have removed the offending code from your post and will now close this topic. Posting it was irresponsible.
Upgrade to 6.2.1.1. Now.
UBB.classic: Love it or hate it, it was mine.
|
|
|
Donate to UBBDev today to help aid in Operational, Server and Script Maintenance, and Development costs.
Please also see our parent organization VNC Web Services if you're in the need of a new UBB.threads Install or Upgrade, Site/Server Migrations, or Security and Coding Services.
|
|
Posts: 1,157
Joined: July 2001
|
|
Forums63
Topics37,573
Posts293,925
Members13,849
|
Most Online5,166 Sep 15th, 2019
|
|
Currently Online
Topics Created
Posts Made
Users Online
Birthdays
|
|
|
|
|