Announcement

Collapse
No announcement yet.

Non-critical exploit (of sorts)

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • John
    replied
    Perhaps you could turn down the number of images that you allow people to post? 150 seems rather unreasonable.

    John

    Leave a comment:


  • Palmer ofShinra
    replied
    Originally posted by Stallion
    I believe that this potential exploit was fixed in a version > 2.0.3...try upgrading and let us know if the problem persists.
    We haven't upgraded past 203 for a couple of good reasons...

    #1: Our board is just so overly hacked it's not funny, with a lot fo the hacks consisting of one or two lines of code in various places... and no log to keep track of them... yes, I'm dumb.

    #2: An attempted test upgrade to 220 anyways resulted in seriously bad problems, and was considered simply not feasible.

    We're waiting on v3 for upgrading.

    Leave a comment:


  • tubedogg
    replied
    They should, however, carefully weigh the options before installing SR-2 as it will completely disable their ability to receive EXE (and a number of other) attachments.

    Leave a comment:


  • Wayne Luke
    replied
    What browser and email client where they using?

    If they are using Outlook 2000, they should install SR-1 and SR-2 for it. Both have been available for over a year now.

    Leave a comment:


  • Stallion
    replied
    I believe that this potential exploit was fixed in a version > 2.0.3...try upgrading and let us know if the problem persists.

    Leave a comment:


  • TheHideoutGuy
    replied
    Same here...

    Could it be a brower-specific issue? I didn't notice a browser mentioned.

    Leave a comment:


  • The Prohacker
    replied
    I just tried it on my test forum, and, it just makes a mailto link, no popup email client........

    Leave a comment:


  • Palmer ofShinra
    started a topic Non-critical exploit (of sorts)

    Non-critical exploit (of sorts)

    Well... one of our users today tried a fun gimmick...

    He tried to see what could be done with the IMG tag.

    So what he did was put a MAILTO url inside an IMG tag...

    [ img ]mailto:[email protected][ /img ]

    Appearently... this gets parsed as < img src="mailto:[email protected]" >

    And... oddl enough... it causes your default email client to automatically pop up a new message window, just as if you had clicked a normal mailto.

    The problem lies in the fact that in this person's test post...

    He put in over 150 IMG-mailto tags.

    Which caused 150 windows to pop up and crashed his comp.

    See the problem?

    Anyhow, just thought I'd share... perhaps the developers will have a way to stop this.
widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Working...
X