Announcement

Collapse
No announcement yet.

Vbulletin exploit?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Vbulletin exploit?

    I just spent quite a while trying to figure out why a certain post was causing browsers to crash.. As it turned out, someone had made a post using IMG tags, and the content of the tags included "http://forum-url/forums/data:image/png;base64,"

    followed by about 5MB of random text. It would even cause Navicat to crash when I tried to delete the post manually.

    Is this a known exploit, or is it possible that it was just an innocent mistake?

  • #2
    Hello, have you found a fix for that?

    I have the same problem and sometimes uploaded images are not uploaded and show on post the IMG code as data:image

    I found this wrong upload img on an older thread on vb-germany too: in the archive you can see the code:
    http://www.vbulletin-germany.com/for...p/t-40756.html
    Originally posted by nerofix
    http://www.vbulletin-germany.com/forum/data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABwAAAAOCAYAAAA8E3wEAAAABmJLR0QA/wD/AP+gvaeTAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAB3RJTUUH1QUUDyoqJjAqRwAAAN1JREFUOMu1lMkVwyAMBYe0JG pCNUFNVk3k4AUwxPGS+ILxkzX8jyTH/Sfu9nrmJ3cXlnMASyWRPwd2d5XlHCBZn1BthcbRAdxTZQDI8k3mQzg11rhF+QZ9jdNOcQib6GFQYJYgCFucSRf6GsL U6wEY5yubTFqF2yq1vRwr3INXdQUWG+je1pELX4ED1wDyRAR0WfuAA9gloIT yvsFMIMgYInYRqF6rO9Sqz9qkO5ilyo0o3YBwJ+6vrdQonxWUQllhXeHcb/wabMPkP2n81ocAIoLZrMqn/4y2RwP8DcQ+d6rT9ATiAAAAAElFTkSuQmCC
    But on the forum there is no image.

    Which larger textfiles the browser crashes.

    Comment


    • #3
      Curious if there was ever an answer to this - I've had it happen on my vb 4.1.x site a handful of times.

      Comment


      • #4
        The same thing is happening to my forum. A white page appears where ever this is posted. Can anyone explain a solution to this?
        www.erodov.com :cool:

        Comment


        • #5
          http://en.wikipedia.org/wiki/Data_URI_scheme

          It means that someone is just innocently copy/pasting an image that was originally embedded as a Data URI.. Embedding small images in this manner is very common in web design since it spares an extra resource pull.

          For example as posted above:
          Originally posted by nerofix
          http://www.vbulletin-germany.com/forum/data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABwAAAAOCAYAAAA8E3wEAAAABmJLR0QA/wD/AP+gvaeTAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAB3RJTUUH1QUUDyoqJjAqRwAAAN1JREFUOMu1lMkVwyAMBYe0JG %20pCNUFNVk3k4AUwxPGS+ILxkzX8jyTH/Sfu9nrmJ3cXlnMASyWRPwd2d5XlHCBZn1BthcbRAdxTZQDI8k3mQzg11rhF+QZ9jdNOcQib6GFQYJYgCFucSRf6GsL %20U6wEY5yubTFqF2yq1vRwr3INXdQUWG+je1pELX4ED1wDyRAR0WfuAA9gloIT%20yvsFMIMgYInYRqF6rO9Sqz9q kO5ilyo0o3YBwJ+6vrdQonxWUQllhXeHcb/wabMPkP2n81ocAIoLZrMqn/4y2RwP8DcQ+d6rT9ATiAAAAAElFTkSuQmCC
          ^^ That is the babelfish icon, which I would guess came when someone copy/pasted a translation.

          Not sure why your browser would crash, it *should* just cause the broken image icon.
          - Maurice Workin' in the Jira mine, goin' down, down, down

          Comment


          • #6
            I've confirmed that it is in fact occurring when people paste an image from their clipboard directly into the editor box. The problem is that in most cases the image code is huge since people are usually posting high res images. Definitely seems like it's a bug - it shouldn't be allowing people to paste an image directly into the editor like that, it should be parsed as a [img]url[/img].

            Comment


            • #7
              Unfortunately I think you are wrong...You may want to look into this: https://www.vbulletin.com/forum/show...88#post2185388

              I don't think this is happening because someone is copy-pasting an image, I believe it's because your forum is compromised / hacked.

              Comment


              • #8
                Originally posted by MikesSite View Post
                Unfortunately I think you are wrong...You may want to look into this: http://www.theadminzone.com/forums/s...2&postcount=81
                Actually, I think you might want to look at that. Maybe even read it twice.
                - Maurice Workin' in the Jira mine, goin' down, down, down

                Comment


                • #9
                  Originally posted by Maurd View Post
                  Actually, I think you might want to look at that. Maybe even read it twice.
                  Look at what? I have already read it more than twice. I have seen this exact issue happen multiple times on different forums. All were hacked / compromised. I could be wrong but it's just my 2 cents. Something to look into.

                  Comment


                  • #10
                    The only thing I found with % wildcard in the connection privileges is for the default test\_% but Grant is set to No.

                    Comment


                    • #11
                      Originally posted by meissen View Post
                      I've confirmed that it is in fact occurring when people paste an image from their clipboard directly into the editor box. The problem is that in most cases the image code is huge since people are usually posting high res images. Definitely seems like it's a bug - it shouldn't be allowing people to paste an image directly into the editor like that, it should be parsed as a [img]url[/img].
                      I can confirm this ... is there any solution to the issue?
                      www.erodov.com :cool:

                      Comment


                      • #12
                        Originally posted by vijayninel View Post
                        I can confirm this ... is there any solution to the issue?

                        Are you able to duplicate this right here on this forum?

                        Comment


                        • #13




                          edit: Of course not - it gets parsed as an image like it should...

                          Comment


                          • #14
                            Originally posted by Infopro View Post
                            Are you able to duplicate this right here on this forum?
                            No it is happening on my forum.
                            www.erodov.com :cool:

                            Comment

                            widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                            Working...
                            X