DD YOU Sue Baskerville: Is this why Second Life's forum's vB Code is turned off?

Friday, August 17, 2007

Is this why Second Life's forum's vB Code is turned off?

Second Life's forum, at forums.secondlife.com, has had it's vB Code turned off for a while now.

The Second Life forums use vBulletin brand forum software, verson 3.0.5. "vB Code" is  vBulletin's form of BBCode, which allows forum  posters to easily insert links, images, apply formatting, etc. in forum posts.  No explanation has been given by Linden Lab.  A statement was made that vB Code would be turned back on, but no further word on the subject has been issued. 

Possibly it has something to do with the information presented below taken from http://forums.nexcess.net/showthread.php?t=596

JELSOFT SECURITY BULLETIN
http://www.vbulletin.com/
January 21st, 2005

This email contains important security-related information.
Please read it carefully.

* vBulletin 3.0.6 / 2.3.6 Released
* Performance Hit Since PHP 4.3.10 / 5.0.3
* Your License Information
* Contact Us


------------ VBULLETIN 3.0.6 / 2.3.6 RELEASED ------------

vBulletin 3.0.6 and 2.3.6 are security and bug fix
releases. They fix a recently discovered XSS issue
regarding BB code parsing.

All versions of vBulletin prior to 3.0.6 and 2.3.6 are
vulnerable. The only workaround is to disable BB code
parsing in signatures and all forums where untrusted users
can post.
The page at http://www.vulnerabilityscanning.com/vBulletin-BB-Tag-XSS-Test_16280.htm says:

Such versions are reportedly vulnerable to a
cross-site scripting issue involving its BB code parsing.

As a result of this vulnerability, it is possible for a remote
attacker to create a malicious link containing script code that will
be executed in the browser of an unsuspecting user when followed.

This may facilitate the theft of cookie-based authentication
credentials as well as other attacks
If this or a similar security issue is really the problem, is there a good reason why Linden Lab couldn't just say the vB Code has been turned off for a security reason and won't be turned on until the forum software is replaced, which may well never happen?

 




No comments:

Post a Comment