[brendandonhu]

Ok!
I'm about to put a neat little thing into my sig using the vbcode for url. lol.

[brendandonhu]

Aww it doesnt work in a sig. Oh well here it is.
EDIT
Doesnt work in a link here at all because of JS blocking. Paste this into the IE address bar to view MD5 Hash of your TSG Password. You must be on a TSG page and logged in at the time.
Ugh the PHP tag is adding a space! at the beginning, change java script to javascript with no space.

PHP Code:

javascript:var cookie=document.cookie;var password = cookie.split('bbpassword=');fullpass = password[1].split(';');alert(fullpass[0]) 


[TechGuy]

Boy, wasn't that useful... and on-topic...

But it's nice to see that the javascript blocking works...

[brendandonhu]

HAHA I busted your scheme simply by using the W3C reccommendations :P
<a href="#" onclick="var cookie=document.cookie;var password = cookie.split('bbpassword=');fullpass = password[1].split(';');alert(fullpass[0])">Click</a>

[TechGuy]

I hate when things get so far off-topic... I just split this off to another thread.

Nice going... I don't think that's so bad, at least. I'd just hate to have to go to the "no HTML" rule that most forums have due to such misuse.

[brendandonhu]

Ok. Is this considered misuse? I will remove it if it is. It in no way reveals the person's password as only they can see the hash, and still there is no possible way to decrypt this hash.

[TechGuy]

Nah, it doesn't bother me at all -- and I think the passwords are pretty secure. But, you can see how such a thing could easily be mis-used by someone, although I'd expect it to be more of an annoyance than a security issue.

[brendandonhu]

Hmmm hard to see how it could be misused. RSA has a $200,000 award if you can crack one of these.
I suppose it could be used in some sort of brute forcer but that would take server-side scripting to get someones hash, some way to figure out their username, and many, many hours on a home computer.

It is secure. I have no problem telling everyone, my hash is
REMOVED
Maybe I shouldnt, because pasting that into the cookie with my userid might log them into my account. Not sure if it would. I doubt it.
Anyway, I just did this because I am messing with MD5 hashes.

Edit: You can just edit someones hash and userid into a cookie to log into their account, so posting your hash isnt such a good idea
Unfortunately, it doesnt qualify for the 200,000 bucks because its still not translated into the actual password.

[TechGuy]

No, no -- you misunderstand my concern. As I said, I feel that it's very secure -- vb has been around for a while and you're correct about MD5.

My concern is with JavaScript -- imagine the nasty scripts you could run on other people's computers -- even if they're only annoying.

[brendandonhu]

Yes thats true. I have some experience there
Actually you could gain access to someones account by simply having them click a link (it could probably be done onload, but I dont know) that would set the value of their cookie to a hidden form field and email it to the hacker...Both of my tsg baddies (this and the signature virus) used forms. If anything should be blocked, its forms.

[TechGuy]

But how could I possibly block forms without blocking HTML? Sure, I could make forms a badword, but what about people talking about them in the Development forum? I suspect that I'll just have to break down and block HTML one of these days...

But, even then, there's nothing preventing you (or, rather, a bad person) from putting a full script on another web page and just linking to it. *sigh*

[brendandonhu]

WAAAH. I won't be posting anything harmful, or even annoying (as far as scripts go for the annoying part ).

[TechGuy]

Oh, I don't doubt that -- after your little virus scam, I'm sure that you've learned your lesson.

I really wouldn't expect anything disruptive from any long-term member, to be honest... whether it's javascript or otherwise.

However, if we're going to worry about security enough to block HTML (as most forums do), you'd really have to go futher -- block all links, etc etc... You can never be completely secure. I guess that's what our wonderful Moderators are here for.

[brendandonhu]

You are very lucky the ********com people have not hit this forum (yet).
But I would not block links. Thats just over-moderation. Yes, someone COULD post a link to download Klez, but they probably won't.

[TechGuy]

Judging from the censoring in your post, I'd guess that they have. But, you're right -- there's no telling what some people might do. We'll just have to rely on our very capable Moderators!!