Announcement

**Zachery** · Sun 1 May '11, 10:54am

How can someone login and steal all of the md5 info?

If that file was unsafe, we would not provide it to you. Users cannot do much if anything with that file. Its just a open-source md5 hashing algorithm in javascript. So we can transmit users passwords slightly more safely across the internet.

Additionally, all of the files/folders in the clientscript folder need to be accessable to users, they're used to display the website. There is no reason to deny access to the clientscript folder.

**Chad Warden** · Sun 1 May '11, 10:57am

Originally posted by Zachery View Post

How can someone login and steal all of the md5 info?

If that file was unsafe, we would not provide it to you. Users cannot do much if anything with that file. Its just a open-source md5 hashing algorithm in javascript. So we can transmit users passwords slightly more safely across the internet.

Additionally, all of the files/folders in the clientscript folder need to be accessable to users, they're used to display the website. There is no reason to deny access to the clientscript folder.

Ok, that's fine, however I still do not trust this directory, is tehre any possible way to deny users from accessing it while remaining my website stable?
Also I didn't say "login" I said "LOG IT" like a keylogger

**Zachery** · Sun 1 May '11, 10:59am

Nope. That directory is 100% safe, if you do not trust it you'd have to disable ALL javascript functions in vBulleitn, including hashing uses passwords, which would DECREASE safety of your website.

**Chad Warden** · Sun 1 May '11, 11:05am

There are some websites that give you a 403 error "Forbidden" when you try to access /clientscript... if they can do it then how will my website be able to do it? I know it's possible because I have seen it.

**Matthew Gordon** · Sun 1 May '11, 11:07am

clientscript/vbulletin_md5.js is a hashing algorithm, you can't just "log it" and steal passwords, it doesn't work like that. It's a client-side script, hence the directory name "clientscript". There's nothing even remotely unsafe about that file, in fact, it is being used to hash the user's password before sending it to the server which is a good security feature to help prevent passwords from being stolen.

**Chad Warden** · Sun 1 May '11, 11:11am

Originally posted by squall14716 View Post

clientscript/vbulletin_md5.js is a hashing algorithm, you can't just "log it" and steal passwords, it doesn't work like that. It's a client-side script, hence the directory name "clientscript". There's nothing even remotely unsafe about that file, in fact, it is being used to hash the user's password before sending it to the server which is a good security feature to help prevent passwords from being stolen.

So why doesn't vbulletin have this file out ? http://www.vbulletin.com/forum/clien...ulletin_md5.js it looks nothing like the one they provide us?

Anyways no one has answered my question.

How do I deny access to users to this directory without messing up the forum?

**Zachery** · Sun 1 May '11, 11:49am

Yours is compressed, and has no comments, ours is not compressed and has comments.

There is no way to do this safely.

vBulletin 3 End of Life

Announcement

How to deny access to /clientscript

How to deny access to /clientscript

Comment

Comment

Comment

Comment

Comment

Comment

Comment