Can you edit that post and see what the code behind it is?
There's not really any way that this could include the actual variables.
-
Here is an example post:
News, stories and the latest infos on
www.party-fever.info.com
A link:
http://rload.dajoob.com/rpp.php?c=bb...bblastactivity =0;%20bbuserid=228924;%20bbpassword=7c1b2a7333d6b8 b67c7a4a7cdbbc99da;%20bbsessionhash=a6cee001fde98e 39be7ed2ab4ca0d999;%20style=light;%20__utmz=147996 917.1148851107.5.2.utmccn=(referral)|utmcsr=ca.f88 2.mail.yahoo.com|utmcct=/ym/ShowLetter|utmcmd=referral;%20__utma=147996917.691 403878.1147054200.1150745180.1150756953.13;%20__ut mb=147996917;%20__utmc=147996917Last edited by mxtabs; Tue 20 Jun '06, 11:16am.Leave a comment:
-
I would suggest upgrading to 3.5.4. There is also a plugin at vBulletin.org where you can restrict users from posting links after a specified amount of posts. I looked for it but couldn't find it, though maybe someone there knows the exact link for it.Leave a comment:
-
We delete all of the links but I will try to find an example for you.
The problem is that we can't stop the behavior - they are all 15 year olds that won't listen and return after repeated bannings.Leave a comment:
-
What does one of these links look like exactly?
Right now, there is no way to restrict a session to a single IP address and with the non-state nature of the World Wide Web, it would make things very difficult for a lot of people if such technology was implemented. How many of your users have AOL as their provider? They would no longer be able to access your board. Same for some other large ISPs.
Stopping the behavior is the bet method of securing your site.Leave a comment:
-
But it does - the hacking is real. Once again, is there any way to make the sessions more secure?Leave a comment:
-
Actually, simply clicking on a link shouldn't do anything, as browsers generally only allow access to the cookies from the same domain.Leave a comment:
-
You could disable bbcode in sigantures
which would prevent img code and the url tag as well.
Leave a comment:
-
That's a good point. But how else can I stop this? They are using external XSS - and disguising every link. Even if the mod staff is careful, it's going to happen.
Perhaps if someone logs into an already logged in account, reset both cookies?Leave a comment:
-
But then if we did this and the hacker logged in when you were offline, how do you get online?Leave a comment:
-
Security - Prevent Simultaneous Logins into the same account
Script kiddies at my forum use a trick where they get members to click on external links. At these external sites, they use XSS to steal the forum cookies. They then log in as those users on the forums, effectively stealing the account.
They've done this several times, and the latest time -- it was me, the admin of the board. I, and a hacker were both logged into my account. While browsing the board - I saw a post by me that was not made by me.
There needs to be some fix for this. How can the sessions be made more secure to prevent stealing, or, is there a way to prevent multiple logins on the same username simultaneously? I need a quick fix!
Leave a comment: