A Report to Mental

[I Rule MU]

duck being demodded, is this dude still alive? this stretches past forum powers, someone contact the local authorities around his area and set up an execution date. the nerve of some people I swear, the sooner he is dead the better.

 

[bobsobol]

duck being demodded, is this dude still alive? this stretches past forum powers, someone contact the local authorities around his area and set up an execution date. the nerve of some people I swear, the sooner he is dead the better.

I take it that is sarcasm.

Actually, it looks (and sounds) to me like it's neither a forum, or browser bug. When you import off-site assets into a page, and the assets are in a simple html password protected folder on the off-site server, then you will be presented with ta login dialogue (produced by your browser) before the asset can be displayed.

Some browsers will try the anonymous user name and no password first, and some you can set not to even bother asking you if that fails. Either way, if the password fails, you won't see the off-site asset. The response will be 403, Forbidden. Which can't be displayed as an image.

Your browser should discount a 403 header response as it does not fit the image/* mime type it expected. Depending on your browser, various image/* mime types may be supported. For example, many Amiga, and early Mac browsers would accept image/ilbm files, as well as the usual image/jpeg, image/gif type images. Many early Windows browsers would accept Windows Bitmap files too.

I'm not so sure about the new vB we implemented, but if you include a flash file with a .jpg extension and wrap it in

 

[1Word]

I would like to add to this thread that I tested same thing on another vBulletin4 forum and this issue wasn't present there...

 

[DeathArmy]

I would like to add to this thread that I tested same thing on another vBulletin4 forum and this issue wasn't present there...

justification!

 

[TimeBomb]

I would like to add to this thread that I tested same thing on another vBulletin4 forum and this issue wasn't present there...

Mhm, I can vouch for this.

Created an invalid image that required authenticated, and put it into an image tag. The browser showed it as a broken image, and didn't ask for authentication.

But... looking at OP's post again, the source code highlighted was purely a link to 1Word's homepage in a html <a> tag - it wasn't an image. That code won't execute unless you click the link; and his signature is just as, if not more harmless.

I feel like there's missing information here. I wish it hadn't been fixed, as it sounds like either OP is mistaken, or 1Word seemingly accidentally found a major forum or browser exploit, which is not the case based on the information in this thread.