Announcement

Collapse
No announcement yet.

How to deny access to /clientscript

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • How to deny access to /clientscript

    How do I deny access to the directory /clientscript without messing up the forum?

    I feel really uncomfortable with this directory clientscript/vbulletin_md5.js someone can log it and steal all the md5 info, this is really unsafe considering how many people try to hack my website daily.
    Is there a solution to deny access to this directory? thanks.

    And yes vbulletin has it to, but it is completely different from my forum
    http://www.vbulletin.com/forum/clien...ulletin_md5.js

    Why doesn't vbulletin help it's customers protect or help you change these files when you buy vbulletin? if they do then I am sorry I didn't see the guide to help you protect this directory.
    Last edited by Chad Warden; Sun 1 May '11, 10:53am.

  • #2
    How can someone login and steal all of the md5 info?

    If that file was unsafe, we would not provide it to you. Users cannot do much if anything with that file. Its just a open-source md5 hashing algorithm in javascript. So we can transmit users passwords slightly more safely across the internet.

    Additionally, all of the files/folders in the clientscript folder need to be accessable to users, they're used to display the website. There is no reason to deny access to the clientscript folder.

    Comment


    • #3
      Originally posted by Zachery View Post
      How can someone login and steal all of the md5 info?

      If that file was unsafe, we would not provide it to you. Users cannot do much if anything with that file. Its just a open-source md5 hashing algorithm in javascript. So we can transmit users passwords slightly more safely across the internet.

      Additionally, all of the files/folders in the clientscript folder need to be accessable to users, they're used to display the website. There is no reason to deny access to the clientscript folder.
      Ok, that's fine, however I still do not trust this directory, is tehre any possible way to deny users from accessing it while remaining my website stable?
      Also I didn't say "login" I said "LOG IT" like a keylogger

      Comment


      • #4
        Nope. That directory is 100% safe, if you do not trust it you'd have to disable ALL javascript functions in vBulleitn, including hashing uses passwords, which would DECREASE safety of your website.

        Comment


        • #5
          There are some websites that give you a 403 error "Forbidden" when you try to access /clientscript... if they can do it then how will my website be able to do it? I know it's possible because I have seen it.

          Comment


          • #6
            clientscript/vbulletin_md5.js is a hashing algorithm, you can't just "log it" and steal passwords, it doesn't work like that. It's a client-side script, hence the directory name "clientscript". There's nothing even remotely unsafe about that file, in fact, it is being used to hash the user's password before sending it to the server which is a good security feature to help prevent passwords from being stolen.

            Comment


            • #7
              Originally posted by squall14716 View Post
              clientscript/vbulletin_md5.js is a hashing algorithm, you can't just "log it" and steal passwords, it doesn't work like that. It's a client-side script, hence the directory name "clientscript". There's nothing even remotely unsafe about that file, in fact, it is being used to hash the user's password before sending it to the server which is a good security feature to help prevent passwords from being stolen.
              So why doesn't vbulletin have this file out ? http://www.vbulletin.com/forum/clien...ulletin_md5.js it looks nothing like the one they provide us?

              Anyways no one has answered my question.

              How do I deny access to users to this directory without messing up the forum?

              Comment


              • #8
                Yours is compressed, and has no comments, ours is not compressed and has comments.

                There is no way to do this safely.

                Comment

                widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                Working...
                X