A Report to Mental

Page 2 of 2 FirstFirst 12
Results 16 to 25 of 25
  1. #16
    Captain of the Universe Rishwin is offline
    LegendRank
    Oct 2004 Join Date
    PerthLocation
    15,952Posts

    Re: A Report to Mental [wtf?]


    RaGEZONE Recommends

    RaGEZONE Recommends

    Quote Originally Posted by 4FUNer View Post
    actually it opened without ur click ;] - once you visited topic/pf

    and his signature was emtpy ;]

    i respect ur the old user of RZ but check 2 time before saying "grow up" to someone

    but now seems to be fixed so topic can be closed thx
    Had a response, forum went offline.

    TL;CR - You didn't say that in your original post, all you did was link and by then he had already fixed it. Not my my fault if you don't want to explain what the issue actually is.



  2. #17
    Alpha Member 2009x2014 is offline
    Alpha MaleRank
    Dec 2009 Join Date
    2,810Posts

    Re: A Report to Mental [wtf?]

    Quote Originally Posted by Rishwin View Post
    Had a response, forum went offline.

    TL;CR - You didn't say that in your original post, all you did was link and by then he had already fixed it. Not my my fault if you don't want to explain what the issue actually is.
    sorry my fault,

    the issue was, every topic with his answer opened automatically a login-window to muonline.re
    (his sig was empty - js code inside)

    idk if he did it specially (cuz it was like advertise) or by mistake, but this broken a part of mu online section thats why i reported

    unless you disabled JS in browser, this window appear'ed even if u pressed "cancel"

    sry for my english
    Last edited by 2009x2014; 13-06-12 at 10:26 AM.

  3. #18
    Captain of the Universe Rishwin is offline
    LegendRank
    Oct 2004 Join Date
    PerthLocation
    15,952Posts

    Re: A Report to Mental

    He says it was an honest mistake and caused by a bug within the forum, i personally believe him and agree that it shouldn't have happened, and he has since rectified it so it's no longer a problem.



  4. #19
    Programmer TimeBomb is online now
    ModeratorRank
    May 2008 Join Date
    United StatesLocation
    1,252Posts

    Re: A Report to Mental

    Interesting, I've heard of similar scenarios before. This sounds more like a general browser issue than a forum error.
    When the HTML img tag is found, it loads the img found in the src element, even if it is not an image. If it's not a valid image, then some browsers will hide it while others may display some sort of "error" image, ex. red X.

    This is actually one way that cross-site request forgery exploits are done.

    If this is indeed a browser issue as I would initially suspect, then there's not a lot you can do about it. This exploit should be reported to the browser development team if it's not already known (and if that were the case, I'd be a bit surprised).

    Random ramblings:
    Potentially, an image could be loaded that would require authentication, and if authentication always fails, then it would always lead to an unauthorized HTTP error page. That site (wherein you are unauthorized) could have a custom error page and thus could essentially allow for malicious intent... assuming that this error is actually a browser issue and that, upon getting a password wrong in this scenario, would indeed redirect to the malicious site.
    Haven't tested or looked into any of it though, so don't mind me. *whistle*

  5. #20
    Dubstep Producer KidRambo is offline
    Alpha MaleRank
    Apr 2011 Join Date
    Chadderton, UKLocation
    1,839Posts

    Re: A Report to Mental

    I don't think he should be demoted for a honest mistake,
    Quote Originally Posted by MentaL
    kid fucked in the ass.
    If I help you, please like, and +rep :)
    'You should have learned bitches love cake' - Borgore - Decisions
    'You should of learned bitches love cake' - Borgore - Decisions

  6. #21
    change my name already! I Rule MU is offline
    GammaRank
    Apr 2007 Join Date
    JerseyLocation
    4,548Posts

    Re: A Report to Mental

    fuck being demodded, is this dude still alive? this stretches past forum powers, someone contact the local authorities around his area and set up an execution date. the nerve of some people I swear, the sooner he is dead the better.



    Quote Originally Posted by Batz View Post
    Quote Originally Posted by Parker View Post
    When IRMU makes a thread you don't question it, you just respect his authority.
    Quote Originally Posted by Savage View Post
    QFT. Everyone knows IRMU's authority.
    Yeah, and he's awesome. He's so awesome that I put him in Family category on MSN.


  7. #22
    Custom title enabled bobsobol is offline
    May 2007 Join Date
    UKLocation
    5,751Posts

    Re: A Report to Mental

    Quote Originally Posted by I Rule MU View Post
    fuck being demodded, is this dude still alive? this stretches past forum powers, someone contact the local authorities around his area and set up an execution date. the nerve of some people I swear, the sooner he is dead the better.
    I take it that is sarcasm.

    Actually, it looks (and sounds) to me like it's neither a forum, or browser bug. When you import off-site assets into a page, and the assets are in a simple html password protected folder on the off-site server, then you will be presented with ta login dialogue (produced by your browser) before the asset can be displayed.

    Some browsers will try the anonymous user name and no password first, and some you can set not to even bother asking you if that fails. Either way, if the password fails, you won't see the off-site asset. The response will be 403, Forbidden. Which can't be displayed as an image.

    Your browser should discount a 403 header response as it does not fit the image/* mime type it expected. Depending on your browser, various image/* mime types may be supported. For example, many Amiga, and early Mac browsers would accept image/ilbm files, as well as the usual image/jpeg, image/gif type images. Many early Windows browsers would accept Windows Bitmap files too.

    I'm not so sure about the new vB we implemented, but if you include a flash file with a .jpg extension and wrap it in [img] bbcode the code used to fall through as if it was in [noparse] tags. (I quite fancied a flash sig, but when I was stopped, I could see good reasons why it may be blocked )
    Last edited by bobsobol; 17-06-12 at 09:40 PM.

  8. #23
    Don't be a hater 1Word is offline
    Alpha MaleRank
    Jan 2006 Join Date
    At homeLocation
    1,838Posts

    Re: A Report to Mental

    I would like to add to this thread that I tested same thing on another vBulletin4 forum and this issue wasn't present there...

  9. #24
    Member DeathArmy is offline
    MemberRank
    Dec 2009 Join Date
    88Posts

    Re: A Report to Mental

    Quote Originally Posted by 1Word View Post
    I would like to add to this thread that I tested same thing on another vBulletin4 forum and this issue wasn't present there...
    justification!

  10. #25
    Programmer TimeBomb is online now
    ModeratorRank
    May 2008 Join Date
    United StatesLocation
    1,252Posts

    Re: A Report to Mental

    Quote Originally Posted by 1Word View Post
    I would like to add to this thread that I tested same thing on another vBulletin4 forum and this issue wasn't present there...
    Mhm, I can vouch for this.

    Created an invalid image that required authenticated, and put it into an image tag. The browser showed it as a broken image, and didn't ask for authentication.

    But... looking at OP's post again, the source code highlighted was purely a link to 1Word's homepage in a html <a> tag - it wasn't an image. That code won't execute unless you click the link; and his signature is just as, if not more harmless.

    I feel like there's missing information here. I wish it hadn't been fixed, as it sounds like either OP is mistaken, or 1Word seemingly accidentally found a major forum or browser exploit, which is not the case based on the information in this thread.




Page 2 of 2 FirstFirst 12

Advertisement