No more html?

A moderator at mfsd confirmed that sdmb would no longer allow html for security reasons. WTF?

mfsd misc.facts.straight-dope
sdmb Straight Dope Message Board
html hypertext metalanguage
WTF where’s the food

It’s sad that the few (or the one?) can ruin it for the many. :frowning:

But how was html the culprit? Not that I need to know, …


Disgruntled x-doper???


I do not know if it was the case here, but UBB iplementations are notorious for not handling all HTML codes correctly. This can often be used by imaginative folks to gain access to file structures that are supposed to be protected by the UBB “shell”. It is possible that someone found a way to gain access to the native Unix filesystem and successfully either downloaded a passwd file to crack at his leisure or managed to run a root kit on the server itself. This is most likely if the UBB daemon was running under the root account.

The best lack all conviction
The worst are full of passionate intensity.

I sort of doubt the SDMB admins would be dumb enough to do something like that. That’s sort of like leaving your car unlocked with the keys in the ignition in the middle of the high crime part of town. Ideally, you want to put the server behind a good firewall, and run any necessary daemons in a chrooted environment that doesn’t have access to the rest of the filesystem.

It really steams me that somebody would vandalize the message board like that, but it does happen. All one can do is invest in good security measures and make examples out of anybody you can catch doing such a thing.

peas on earth

You are right, of course, but that is a separate issue. Neither a firewall nor a chroot will restrict access if a root kit (there are many variations) has been executed. (Well, the firewall might require a separate penetration depending upon the specifics of the configuration.) I do not feel it is prudent to go into much detail, but the only critical piece in the scenario I was specualting about is the userid under which the UBB demons execute.

Let me also state that I do not think this is the most likely means that were used in this case. I, personally, do not know of a UBB/HTML hack that would allow direct code execution by the UBB daemon, but I do not assume that such a hack is impossible. My own guess is that a more conventional UBB hack was used. I have a particular method in mind, but will refrain from posting it in the interest of future peace of mind.

The best lack all conviction
The worst are full of passionate intensity.