No announcement yet.

About vB option "Allow Dynamic URL for [IMG] Tags", and its purpose

  • Filter
  • Time
  • Show
Clear All
new posts

  • About vB option "Allow Dynamic URL for [IMG] Tags", and its purpose


    I'd like to know more about this admin feature :
    "Allow Dynamic URL for [IMG] Tags"

    What I've understood is that any image with caracters like & ? = inside its URL won't be displayed on the board (but a link will be provided).

    Please, tell me why !?

    Don't you agree that :
    1. A static message with an URL inside cannot be considered as dynamic : the URL is always the same, not dependant of a form or anything else.
    2. An URL inside a message cannot send any other information than the one attached within its path (GET method). This means that no hidden or private information can be extracted or sent to anyone.
    3. Anything that is possible with the GET method can be done without ! If you have an URL that looks like :
      you can always transform it and make it looks like :
      or just :
      where "8kkgjDMLCd" is an encrypted code that represents the GET parameters, handled with things like the classic 404 error page, or tricky things like that.
      (try something like to find something near from what I mean)
      (there was also nearer from what I am trying to explain, but it no longer exists)
    4. You don't need to have any GET parameters to do malicious things inside an IMG.
      (caution, this one should open your CD Box if you have JavaScript+WMP)
    So, what is the purpose of this vB option ? Isn't it just an inconvenience/pain for users, instead of a security option ?
    Lumina, aventurière des mondes fantastiques et petite rédactrice au grand cœur
    Cœur Lumière - vBulletin-fr
    Join the vBulletin French community social group!

  • #2
    I used it. It helped stop users from linking attachments to their signatures
    Trent Gillespie Mod Theater Gillespie Photography


    widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.