i'm not sure if i'm going to worry about this piece of code, which a new member (armin-fire) "inserted" in the shoutbox. here's a screenshot:
erring on the side of forum security, i deleted the code in question from the shoutbox. i don't think it has any relevance on ongoing discussion by then in the shoutbox, but i could be wrong. (admins, for shoutbox archive review?) btw, i was not fast enough to impose a ban on armin-fire from the shoutbox for this; his shout got purged fast enough with the entry of other shouts. in any case, i've disabled his posting abilities and suspended member account -- for one day.
anyhow, it obviously didn't parse the code, since the code was still entirely visible in the shoutbox. but i'm placing a screenshot here for staff review, especially those uber-php-coders in the bunch, to determine if there is a security risk involved here. i'm not php-inclined, so i leave it to you guys. possibly a script-kiddie in there, and if admin determines so based on the code above, i vote for an account ban on armin-fire. he may have other scripts in his arsenal which may pose hazards to IPB forums, but i'm just giving him the benefit of a doubt in here for now awaiting confirmation of its relevance in the shoutbox.
If the code did work it would send him the IP address of every member who unwillingly viewed the code to him via email. He's quite clearly a little script-kiddy because the code was never going to parse in the shoutbox or anywhere because no-one's would be that stupid enough to let it happen. But it's backfired on him, because, if he's as stupid as he looks, we've got his real IP address and his email address
But, for the intent of breaching the security of Xisto's members, ban him.
I don't know why anyone would want a collection of IPs anyways. IP address only tell you the approx location of people you don't know... which isn't important for any user. Maybe he wanted to know about the Geo Targeting of this site? Anyways, he's not very good, since he actually expected php code to be ran in a public shoutbox? He probably just copied that code from google, I bet if you search the code it's the first result.
If you think about it further there's more to it than that. On all the emails he would have received, he would have got the default email address of the sender, ie "you - the victimised viewer". That would be more useful.
I don't know why anyone would want a collection of IPs anyways
thanks for the inputs guys. i now see that eINK has already banned armin-fire's forum account. let's see if admin can ban his IP as well, so he can't return back and re-register anew and possibly create more trouble for us.
I'll wait until the second return of the same IP before I issue the IP ban. But good job everyone! Thank you and keep up the good work!
Perhaps you can also do an email ban.
Haha, nasty little guy. I don't like people who take information about me without asking.But I do like people who catch these kinds of things. Nice job server.