I have sent a PM to Joshuar but nothing has been done about it :( Heres a demo of how it works-
http://tom743.awardspace.com/hxf/
If you go to http://tom743.awardspace.com/hxf/test.txt you will knotice your IP has been logged, its against the rules of the forum to post peoples IPs because its personal infomation, so in my oppinion this should be fixed as soon as possible. Anyone could figure out how to do the code, its only 7 lines long. If someone puts that code in there signature then they could get hundreds of ips if they post regualy.

If someone has a computer with remote access enabled and they still have the default admin/administrator account that is on XP which has no password (maybe vista as well) you could connect to there computer and view files, delete files, copy files to there computer, copy files from there computer. Allthough thats a little far fetched it could happen.

By the way you can delete your ip from the text file by clicking here (http://tom743.awardspace.com/hxf/delete.php).

Thanks for reading this.

Tom, it's not an exploit...

You can do it secretly via any image, it'd be a waste of time trying to 'patch' it.

Tom, it's not an exploit...

You can do it secretly via any image, it'd be a waste of time trying to 'patch' it.

Edit: Bloody lag >_<

Wouldn't the person have to know port number to connect to your computer?

On digitalpoint images that aren't really images just display as a link even if it's a dir called like orly.jpg or something. But nearly all forums are vulnerable to this, warez-bb is and they have much more members than HxF so they would more likely be targeted.

Cpanel automatically logs IP's anyway so I've got a few thousand ip's off several users on my Cpanel anyway, not like i'm going to do anything with them even if I could do anything ;).

Exactly, IPs are extremely easy to get, but you can't do anything with them apart from prevent them from visiting your website :P

If logging ip's was such a risk, I'm sure they wouldn't allow you to log them :P

But you can easily find out the location of the ip with them (Well, city).

Couldn't connect to mine.

Remote Desktop is off. It's not on my exceptions list.

:D:D

have to admit these stupid scripts to get profile views and thread views is annoying as crap now

this is why I think you should ban all signatures and just have text


too many rule breaking, first that habbo log out crap

now this. I agree tom743 its out of hand.


P.s. How can you disable remote access I think i have but incase + don't u have our ip now cuz of the image, i never clicked link.

this is why I think you should ban all signatures and just have text


too many rule breaking, first that habbo log out crap

now this. I agree tom743 its out of hand.


P.s. How can you disable remote access I think i have but incase + don't u have our ip now cuz of the image, i never clicked link.
No, simply banning [img] tags would do it. :$

No, simply banning [img] tags would do it. :$
yh but as usual, nothing gets done

this is why I think you should ban all signatures and just have text


too many rule breaking, first that habbo log out crap

now this. I agree tom743 its out of hand.


P.s. How can you disable remote access I think i have but incase + don't u have our ip now cuz of the image, i never clicked link.
Uh huh, never own a forum. You'll make it featureless... Anyone can get an IP. Heck, I have loads stashed in my TraceWatch IP logger for people who've viewed 2 forums I use (I'm admin). You can't do much with them other than know of a location, but in most cases an IP points to some weird address no-where near where you live. That Habbo Log-out thing was fixed anywhere, when Habbo introduced tokens so I don't see why you're sitting in a nuclear bunker when peace is forecasted...

Anyone want my IP and port?

I wouldnt give a crap, so shouldnt other people.

Oh and, You need alot more then an IP address to connect to remote desktop so if anyone thinks it a risk to have it on then please, It fine :)

Uh huh, never own a forum. You'll make it featureless... Anyone can get an IP. Heck, I have loads stashed in my TraceWatch IP logger for people who've viewed 2 forums I use (I'm admin). You can't do much with them other than know of a location, but in most cases an IP points to some weird address no-where near where you live. That Habbo Log-out thing was fixed anywhere, when Habbo introduced tokens so I don't see why you're sitting in a nuclear bunker when peace is forecasted...

its just my view, it stops all other sites using them annoying signatures aswell, so yes I still stick to my point, the security on this forum isn't that great tbh as 1 by 1 qamp is striking again...

its just my view, it stops all other sites using them annoying signatures aswell, so yes I still stick to my point, the security on this forum isn't that great tbh as 1 by 1 qamp is striking again...
Nothing to do with forum sercurity, people are stupid enough to fall for phishers, keyloggers and give out personal information to be able to be reverted with.

its just my view, it stops all other sites using them annoying signatures aswell, so yes I still stick to my point, the security on this forum isn't that great tbh as 1 by 1 qamp is striking again...

yep, it all the forums fault, people are getting hacked by qamp becasue he hacking the da forum woop woop

Nothing to do with forum sercurity, people are stupid enough to fall for phishers, keyloggers and give out personal information to be able to be reverted with.


yep, it all the forums fault, people are getting hacked by qamp becasue he hacking the da forum woop woop

Well it is as pretty much the user that has the power, as qamp told me
when elkaa got safety banned... :rolleyes:

That wouldnt be the forum fault though....

l0l

That wouldnt be the forum fault though....

l0l


tbh I think the people that should see on info should be only the forum owner
+
nvr imo

Yep let run the forum with 2 people (Y)

Well it is as pretty much the user that has the power, as qamp told me
when elkaa got safety banned... :rolleyes:
Qamp cant hack to save his life :).

All he is is a stupid child who by getting peoples info sutch as name and DOB calles up microsoft gets your windows live pass and then reverts everything to do with you account sutch as HxF,bebo,facebook ect. so if anyones security is to blame then blame them at microsoft.

Elkaa only got safety banned incase tehre was a risk his passowrd was the same as his msn.

Also note the reason mods and smods and admons have no email connected to there account so if someone does revert there msn then they cant get there hxf unless they use the same password.

Qamp cant hack to save his life :).

All he is is a stupid child who by getting peoples info sutch as name and DOB calles up microsoft gets your windows live pass and then reverts everything to do with you account sutch as HxF,bebo,facebook ect. so if anyones security is to blame then blame them at microsoft.

Elkaa only got safety banned incase tehre was a risk his passowrd was the same as his msn.

Also note the reason mods and smods and admons have no email connected to there account so if someone does revert there msn then they cant get there hxf unless they use the same password.

its funny how u say that lol

:S cuz he even posted a comment on my profile, with emails passwords etc..
i reported it

+ he told me he hacked elkaa myspace then his forum password, then got my email pretty much he said thats why he got safety ban and as usual habboxforum didn't tell you nothing.

EDIT: NO POINT DEBATING, THERE IS ALREADY AN OPTION :O IS THAT NEW?

its funny how u say that lol

:S cuz he even posted a comment on my profile, with emails passwords etc..
i reported it

+ he told me he hacked elkaa myspace then his forum password, then got my email pretty much he said thats why he got safety ban and as usual habboxforum didn't tell you nothing.
I can tell you for a fact admins,smods and mods have no email connected to there account. Elkaa had his email revered, there was accually a thread in mod forums about it. He then did it again 2 weeks later.

All qamp does is revert he can not "hack"

its funny how u say that lol

:S cuz he even posted a comment on my profile, with emails passwords etc..
i reported it

+ he told me he hacked elkaa myspace then his forum password, then got my email pretty much he said thats why he got safety ban and as usual habboxforum didn't tell you nothing.
You're missing the point. Qamp can't hack, all he does is ask you your Windows Live recovery question and gains access to your Windows Live ID.

I still think that people are being stupid over "LOL I HAVE A SCRIPT WHICH GIVES ME PROFILE VIEWS" its annoying, its basically exploiting the img tag and its sort of unfair, people are like "ooh look I have blahblahblah profile views :)" then someone else is like "I have a script to get thousands so ha"

its annoying and I think it should atleast be in the rules not to use it to get thread or profile views

You're missing the point. Qamp can't hack, all he does is ask you your Windows Live recovery question and gains access to your Windows Live ID.


then requests for a password to habbo account and HACKS into it?

Dude, stop using the word hack unless it actully hacking

people like you use hacking "hack" the wrong way -.-

I still think that people are being stupid over "LOL I HAVE A SCRIPT WHICH GIVES ME PROFILE VIEWS" its annoying, its basically exploiting the img tag and its sort of unfair, people are like "ooh look I have blahblahblah profile views :)" then someone else is like "I have a script to get thousands so ha"

its annoying and I think it should atleast be in the rules not to use it to get thread or profile views


I agree tbh, answering the thread, check your options, you can actually hide signatures/ [img] tag only

I HID ALL SIGNATURES :D

then requests for a password to habbo account and HACKS into it?
I have highlighted the errors.

I still think that people are being stupid over "LOL I HAVE A SCRIPT WHICH GIVES ME PROFILE VIEWS" its annoying, its basically exploiting the img tag and its sort of unfair, people are like "ooh look I have blahblahblah profile views :)" then someone else is like "I have a script to get thousands so ha"

its annoying and I think it should atleast be in the rules not to use it to get thread or profile views


I have highlighted the errors.
explain pls :D

+ i answered ur thread pretty much

then requests for a password to habbo account and HACKS into it?
Nope what he does is he click forgotten my password for you habbo and they send passowrd to the email wich he has reverted and hey proesto he has reverted you habbo as well. This is the same as well for myspace,facebook the list is endless.

This isn't an exploit. It can be done loads of ways. Most sites log your IP as soon as you visit anyway so it doesn't matter.

In future please report bugs/exploits etc in the bug tracker.

Its not just about ips though its annoying cheating views

Nope what he does is he click forgotten my password for you habbo and they send passowrd to the email wich he has reverted and hey proesto he has reverted you habbo as well. This is the same as well for myspace,facebook the list is endless.
so even if he accessed your account after reverting is the term hacked still right?

No becasue he didnt hack it..

No becasue he didnt hack it..
okay tyvm
i understand the term now.

so even if he accessed your account after reverting is the term hacked still right?
No reverted is the word

Hacking is totally differnt is is done by using things like expliots in sites to get your password. Or using things like brute forcers to guess your password.

No becasue he didnt hack it..
Correct :)

erm

okay a friend I knew on habbo recently got hacked

and said that she got hacked by changing email addresses then asking for activation email, but once u do that, ur email goes back to your old address (first email)

so like what is term for that, reverted/hacked, somehow they managed to click the link the victim said.

I agree tbh, answering the thread, check your options, you can actually hide signatures/ [img] tag only

I HID ALL SIGNATURES :D
That's what I do. I have sigs and avs hidden cos it looks better.

That's what I do. I have sigs and avs hidden cos it looks better.
It loads 0.45737466 faster aswell.

You can hide signatures, we'll bring in a rule shortly about cheating for profile and page views etc. Its a rule that shouldn't harm anyone who isn't doing anything they shouldn't :)

You can hide signatures, we'll bring in a rule shortly about cheating for profile and page views etc. Its a rule that shouldn't harm anyone who isn't doing anything they shouldn't :)
Maybe a rule about hiding pages image tags aswell?

Maybe a rule about hiding pages image tags aswell?

Basically the rule is you only put an image URL in an image tag. That should sort it?

Cpanel automatically logs IP's anyway so I've got a few thousand ip's off several users on my Cpanel anyway, not like i'm going to do anything with them even if I could do anything ;).
So that was who was opening dirty websites on my PC eh?

Basically the rule is you only put an image URL in an image tag. That should sort it?
That's going to be pointless at the end of the day, unless you hire a team to go through all signatures, threads and posts looking for links in image tags - Because having mods and super mods doing it will be a waste of their time when they could be doing something else that's more important. Surely there must be a way of doing it in the word filter? Isn't

"*.png/gif/jpg" an option in the word filter which means only those can be allowed, or would you have to type out all instances e.g. php/html/htm and so on and so forth?

Seems weird vB haven't sorted this out :S Maybe Google has answers :D

That's going to be pointless at the end of the day, unless you hire a team to go through all signatures, threads and posts looking for links in image tags - Because having mods and super mods doing it will be a waste of their time when they could be doing something else that's more important. Surely there must be a way of doing it in the word filter? Isn't

"*.png/gif/jpg" an option in the word filter which means only those can be allowed, or would you have to type out all instances e.g. php/html/htm and so on and so forth?

Seems weird vB haven't sorted this out :S Maybe Google has answers :D

Well we were considering doing it on an as-reported basis mostly. Obviously members are noticing, so they'd report it to a super moderator. Plus, mods check sigs in their forums for oversized images anyway.

I did find a google answer for it when we had the skin change problems, however MAD said that putting in the code would be too resource intensive.