View Full Version : Double checking XSS suspicions.
27th February 2009, 07:16
You might want to take a look at this Aika, defiantly not cool.
PS: this is not in the forum dev section because html is disabled there.
27th February 2009, 14:09
Talk about a really easy bypass!
Needs to be fixed ASAP!
27th February 2009, 16:26
While this is not fixed, I suggest firefox with noscript, set it to not allow any scripts from anything on the forum.
Or just set any other browser to just not allow scripts.
27th February 2009, 16:29
How do you do that?
27th February 2009, 17:54
How do you do that?
@XSI: Oh I already had it thank you, but I knew something was up the SECOND the notice popped up...
27th February 2009, 19:46
Hmm, is there any way to deal with this except completely forbidding html?
27th February 2009, 21:50
Depends if you've got control over the code or not. If you do, then it should just be a basic change to a central file. If you don't; you'd want to contact vBulletin, direct them to this page, tell them their code sucks, and turn off HTML while they fix it.
This is really pathetic. With code injection this easy, I could have a full worm up and running before anyone knew what the fuck was going on. Come on vBulletin, I expect more from you!
EDIT: and yes, noscript is really good.
27th February 2009, 21:59
Except that I have noscript whitelisting ulmf.org :p
27th February 2009, 22:22
Interesting, this hasn't been disabled although I disabled [html] tags.
Can someone other than me try posting that again?
27th February 2009, 23:15
looks fixed to me.
27th February 2009, 23:34
I removed the original because it was annoying.
28th February 2009, 08:11
Now I feel sad that I gave up a perfectly good chance to take over the forums and make myself a mod.
28th February 2009, 12:21
Is that a dare or something... you think you could defeat me?!?
28th February 2009, 19:34
I hadn't seen you around for a bit, I figured I'd have at least some time before the mighty Nunu crushed me.
vBulletin® v3.7.4, Copyright ©2000-2013, Jelsoft Enterprises Ltd.