(2012-02-23, 11:42 PM)John J. Wrote: [ -> ] (2012-02-23, 11:27 PM)WebOutfit Wrote: [ -> ] (2012-02-23, 11:08 PM)John J. Wrote: [ -> ]Yes, It is harmless but never trust authencation boxes, never put info in them.
So, my clients shouldn't login to their client area on my website and the secure area for my job I should never trust? Okay, thanks for telling me then! I won't touch them again. 
No I'm not saying it that way. I'm saying if you see an unsuspected box then don't do it but if you know what the box is for then you can enter it and do your stuff.
In what case is entering your username and password in a unsuspected box okay?
A clever sysadmin could alter htaccess so that it logs all login attempts user/pass combos. In such a case a moron might put in his forum login data and in such a case could have their account compromised.
So shouldn't this be treated as a bigger issue? The fact that using this generates a pop-up on your forum is bad enough...but if it is possible to compromise accounts then it is even worse. Imagine labrocca had something like this in his signature, all 8,000 of his posts would generate this authentication box. That can be a big issue.
Can this be prevented?
nothing you can really do about it. its up to the user to be smart about what information they provide and into what forms they do it.
as an admin all you can really do is edit posts and sigs that include links to such files.
(2012-02-24, 12:49 AM)WebOutfit Wrote: [ -> ] (2012-02-23, 11:42 PM)John J. Wrote: [ -> ] (2012-02-23, 11:27 PM)WebOutfit Wrote: [ -> ] (2012-02-23, 11:08 PM)John J. Wrote: [ -> ]Yes, It is harmless but never trust authencation boxes, never put info in them.
So, my clients shouldn't login to their client area on my website and the secure area for my job I should never trust? Okay, thanks for telling me then! I won't touch them again.
No I'm not saying it that way. I'm saying if you see an unsuspected box then don't do it but if you know what the box is for then you can enter it and do your stuff.
In what case is entering your username and password in a unsuspected box okay?
If you enter the same password and username as your MyBB account here, the hacker will get that in text and he can use it to look which sites use your username and then your password.
It's not really difficult to understand...
Restrict img in signatures to members with X posts if it's a real problem. Normally this is not though.