The Second Life forums use vBulletin brand forum software, verson 3.0.5. "vB Code" is vBulletin's form of BBCode, which allows forum posters to easily insert links, images, apply formatting, etc. in forum posts. No explanation has been given by Linden Lab. A statement was made that vB Code would be turned back on, but no further word on the subject has been issued.
Possibly it has something to do with the information presented below taken from http://forums.nexcess.net/showthread.php?t=596
JELSOFT SECURITY BULLETINThe page at http://www.vulnerabilityscanning.com/vBulletin-BB-Tag-XSS-Test_16280.htm says:
http://www.vbulletin.com/
January 21st, 2005
This email contains important security-related information.
Please read it carefully.
* vBulletin 3.0.6 / 2.3.6 Released
* Performance Hit Since PHP 4.3.10 / 5.0.3
* Your License Information
* Contact Us
------------ VBULLETIN 3.0.6 / 2.3.6 RELEASED ------------
vBulletin 3.0.6 and 2.3.6 are security and bug fix
releases. They fix a recently discovered XSS issue
regarding BB code parsing.
All versions of vBulletin prior to 3.0.6 and 2.3.6 are
vulnerable. The only workaround is to disable BB code
parsing in signatures and all forums where untrusted users
can post.
Such versions are reportedly vulnerable to aIf this or a similar security issue is really the problem, is there a good reason why Linden Lab couldn't just say the vB Code has been turned off for a security reason and won't be turned on until the forum software is replaced, which may well never happen?
cross-site scripting issue involving its BB code parsing.
As a result of this vulnerability, it is possible for a remote
attacker to create a malicious link containing script code that will
be executed in the browser of an unsuspecting user when followed.
This may facilitate the theft of cookie-based authentication
credentials as well as other attacks
The Second Life forums use rental car nearby me brand forum software
ReplyDelete