I was wondering what that strange username and password prompt was about. Glad I clicked Cancel rather than entering my information. I just thought it was a forum glitch. Had no idea it was phishing.
It seems like you should be able to fix this by having the BB cache external images first, then display them through a URL that goes to your local site instead. I think this is possible through squid, but not positive how to set it up.
I've private messaged you with a new fix, this one is sure to work.
I give up, apparently bandwidth is an issue for them in this case, whitelisting will have to be the only solution for now.
But you could trick users to do something like this. That would take them to a "fake Minecraft forum" for example, telling you to login.
You could do that with links too... No need for image
True true... but images may work more well.
That problem is trivial. Exploiters do this for banks, too, but the users have to be smart enough to realize that minecraftforum.net.ru is not the same as minecraftforum.net, and not to mention they would get suspicious having to log in all over again all of a sudden...
The issue with images is that since they're hotlinked, they're susceptible to XSS (in poorly designed browsers, aka IE), and HTTP features such as the login prompt. One could also post an image which points to a script that logs IP addresses of all the users who browse the forums...
EDIT: This can be subverted by tunneling all images through a web proxy that removes special HTTP headers. The downside is this adds additional overhead to your website and uses more bandwidth. cache daemons, such as squid, try to minimize this overhead.
I've posted a suggestion in the Forum Discussion forum that may help to remedy this issue if applied to images, as well as help protect the forums against malicious links.
Let's remove images and links and remove the entire site, that'll show him!
This.
Honestly? The best fix for this "problem" is simply for the user to take the most basic of precautions, like hovering the mouse over the link before clicking to check the URL, and having adequate security software installed. Disabling any sort of BBCode is just a massive inconvenience to everyone EXCEPT the spammers, who most likely are using programs to do this.
edit - this could also be worked around by using a domain blacklist or fixing board attachments.
[FAQ] Extremely Common Problems
[OFFICIAL] Dragon Cave Thread
SIMG has been fixed. Both img and simg now both apply class="simg".
thefool76.com
Having the caution messages in all of my posts is a bit off-putting :/
(Especially since I do texture packs.)
I privated messaged you a day or so ago the solution.
Okay... my private message apparently never went through, just sent it again.
replied, but yeah that won't work.
The above image takes you to Google. It's not malicious.
...now citric is going to yell at me as I teach ways to exploit stuff. But just fix this thing. Delete IMG completely.
AngelCraft 64 Texture Pack v2.0.2 (Beta 1.8.1)
Nerd, geek, server admin, guy wearing a rainbow skin (with an office suit of epicness)? That's me.
...you're supposed to be able to link to external places, what are you talking about?
But you could trick users to do something like this. That would take them to a "fake Minecraft forum" for example, telling you to login.
AngelCraft 64 Texture Pack v2.0.2 (Beta 1.8.1)
Nerd, geek, server admin, guy wearing a rainbow skin (with an office suit of epicness)? That's me.
True true... but images may work more well.
AngelCraft 64 Texture Pack v2.0.2 (Beta 1.8.1)
Nerd, geek, server admin, guy wearing a rainbow skin (with an office suit of epicness)? That's me.
I've private messaged you with a new fix, this one is sure to work.I give up, apparently bandwidth is an issue for them in this case, whitelisting will have to be the only solution for now.
That problem is trivial. Exploiters do this for banks, too, but the users have to be smart enough to realize that minecraftforum.net.ru is not the same as minecraftforum.net, and not to mention they would get suspicious having to log in all over again all of a sudden...
The issue with images is that since they're hotlinked, they're susceptible to XSS (in poorly designed browsers, aka IE), and HTTP features such as the login prompt. One could also post an image which points to a script that logs IP addresses of all the users who browse the forums...
EDIT: This can be subverted by tunneling all images through a web proxy that removes special HTTP headers. The downside is this adds additional overhead to your website and uses more bandwidth. cache daemons, such as squid, try to minimize this overhead.
Lol! (Credit ViscousPrudoctions.
viewtopic.php?f=7&t=201872
It's not a perfect solution but I think it would be quite helpful.
Not glad to see that that thing is just the 'external image proceed with caution' issue.
Can't we just use a user agent detector to redirect IE users to google.com/chrome?
[FAQ] Extremely Common Problems
[OFFICIAL] Dragon Cave Thread
This.
Honestly? The best fix for this "problem" is simply for the user to take the most basic of precautions, like hovering the mouse over the link before clicking to check the URL, and having adequate security software installed. Disabling any sort of BBCode is just a massive inconvenience to everyone EXCEPT the spammers, who most likely are using programs to do this.
tinypic must be whitelisted, but minecraftforum not. How would one apply for whitelisting? All of my images are hosted from my own domain. =[
[FAQ] Extremely Common Problems
[OFFICIAL] Dragon Cave Thread