[IMG] tag exploit

Decode · 31-08-2008, 11:56 AM

I have sent a PM to Joshuar but nothing has been done about it

Heres a demo of how it works-

If you go to http://tom743.awardspace.com/hxf/test.txt you will knotice your IP has been logged, its against the rules of the forum to post peoples IPs because its personal infomation, so in my oppinion this should be fixed as soon as possible. Anyone could figure out how to do the code, its only 7 lines long. If someone puts that code in there signature then they could get hundreds of ips if they post regualy.

If someone has a computer with remote access enabled and they still have the default admin/administrator account that is on XP which has no password (maybe vista as well) you could connect to there computer and view files, delete files, copy files to there computer, copy files from there computer. Allthough thats a little far fetched it could happen.

By the way you can delete your ip from the text file by clicking here.

Thanks for reading this.

Invent · 31-08-2008, 12:00 PM

Tom, it's not an exploit...

You can do it secretly via any image, it'd be a waste of time trying to 'patch' it.

Invent · 31-08-2008, 12:00 PM

Tom, it's not an exploit...

You can do it secretly via any image, it'd be a waste of time trying to 'patch' it.

Edit: Bloody lag >_<

Jxhn · 31-08-2008, 12:04 PM

Wouldn't the person have to know port number to connect to your computer?

On digitalpoint images that aren't really images just display as a link even if it's a dir called like orly.jpg or something. But nearly all forums are vulnerable to this, warez-bb is and they have much more members than HxF so they would more likely be targeted.

**--ss--** · 31-08-2008, 12:09 PM

Cpanel automatically logs IP's anyway so I've got a few thousand ip's off several users on my Cpanel anyway, not like i'm going to do anything with them even if I could do anything

.

Invent · 31-08-2008, 12:15 PM

Exactly, IPs are extremely easy to get, but you can't do anything with them apart from prevent them from visiting your website

~~Moh~~ · 31-08-2008, 12:17 PM

If logging ip's was such a risk, I'm sure they wouldn't allow you to log them

But you can easily find out the location of the ip with them (Well, city).

H0BJ0B · 31-08-2008, 12:23 PM

Couldn't connect to mine.

Remote Desktop is off. It's not on my exceptions list.

~~Stephen08~~ · 31-08-2008, 12:50 PM

have to admit these stupid scripts to get profile views and thread views is annoying as crap now

msb. · 31-08-2008, 01:37 PM

this is why I think you should ban all signatures and just have text

too many rule breaking, first that habbo log out crap

now this. I agree tom743 its out of hand.

P.s. How can you disable remote access I think i have but incase + don't u have our ip now cuz of the image, i never clicked link.

Thread: [IMG] tag exploit

Thread Tools

[IMG] tag exploit

Posting Permissions