OrthancDeath Lite, Only 1 CalorieOff the end of the internet, just turn left.Registered User, ClubPAregular
edited January 2004
It's not a security flaw for PA. My script runs on my server.
So it's no more dangerous for PA than linking to a PHP page on my server.
If there was a security hole in the script then my server would be at risk, but there isn't.
Anyway, because of the way HTTP works it's actually impossible for your browser, or PA's server to determine that it's a PHP rather than a static image.
It's not a security flaw for PA. My script runs on my server.
So it's no more dangerous for PA than linking to a PHP page on my server.
If there was a security hole in the script then my server would be at risk, but there isn't.
Anyway, because of the way HTTP works it's actually impossible for your browser, or PA's server to determine that it's a PHP rather than a static image.
I should be asked before I execute a script on your server.
Then I could say no.
I we restrict avatars to .gif and .jpg files, then most server-side processing languages will be foiled. Those who reconfigure their server to execute .gif and .jpg files will still slip through, but then we have mods yell at them.
It's not a security flaw for PA. My script runs on my server.
So it's no more dangerous for PA than linking to a PHP page on my server.
If there was a security hole in the script then my server would be at risk, but there isn't.
Anyway, because of the way HTTP works it's actually impossible for your browser, or PA's server to determine that it's a PHP rather than a static image.
I should be asked before I execute a script on your server.
Then I could say no.
I we restrict avatars to .gif and .jpg files, then most server-side processing languages will be foiled. Those who reconfigure their server to execute .gif and .jpg files will still slip through, but then we have mods yell at them.
If you are running any sort of real security, you would get prompted if a script was trying to be run from another server on your browser. What you're talking about is all server side, so it doesn't effect your browser at all. If you are so worried about having scripts run in your browser at least run Script Defender.
Starfuck on
jackfaces
"If you're going to play tiddly winks, play it with man hole covers."
- John McCallum
0
OrthancDeath Lite, Only 1 CalorieOff the end of the internet, just turn left.Registered User, ClubPAregular
I just caught my 15 year old girl, masturbating with a vibrating 'control pad' on a Nintendo Gamecube. Now I am banning this vibrator from my household, but I am concerned about other teenagers who are using these products as masturbation aids, so I say we ban them from our forums.
I just caught my 15 year old girl, masturbating with a vibrating 'control pad' on a Nintendo Gamecube. Now I am banning this vibrator from my household, but I am concerned about other teenagers who are using these products as masturbation aids, so I say we ban them from our forums.
The teenagers using them? Or the devices themselves?
pix plz
matt has a problem on
0
OrthancDeath Lite, Only 1 CalorieOff the end of the internet, just turn left.Registered User, ClubPAregular
I know perfectly well how to do that. But I don't see the need.
I'd prefer people just learn a bit more about HTTP.
...and with a PHP script you have access to the entire request object and can manipulate the entire response object.
Now, I'm not a PHP code monkey, but I know that with that ability, combined with bugs in specific browsers, and a 301 Content Moved, you could probably whip up some cookie-stealing. I've got some thoughts about how that could be done in not-PHP.
I know perfectly well how to do that. But I don't see the need.
I'd prefer people just learn a bit more about HTTP.
...and with a PHP script you have access to the entire request object and can manipulate the entire response object.
Now, I'm not a PHP code monkey, but I know that with that ability, combined with bugs in specific browsers, and a 301 Content Moved, you could probably whip up some cookie-stealing. I've got some thoughts about how that could be done in not-PHP.
No?
Through the logs I have access to the entire request
Through the server configuration I can manipulate the entire responce on a static image.
As for cookie stealing I doubt it. Cookies are only sent to the specific server. So they don't get sent to my scripts at all.
Additionally most browsers block 3rd party cookies by default, so scripts like that on a differnt server can't set or recieve cookies anyway.
yeah, but i remember ap talking about security risks with my thing too. i really dont know much about this.. but we're pming now soooo woot!
Deusfaux on
0
Munkus BeaverYou don't have to attend every argument you are invited to.Philosophy: Stoicism. Politics: Democratic SocialistRegistered User, ClubPAregular
edited January 2004
wait....is my avatar an evil alien parasite feeding off of people's web browsers for sustance and to propagate? cuz that's what i got from this whole thread.
Munkus Beaver on
Humor can be dissected as a frog can, but dies in the process.
wait....is my avatar an evil alien parasite feeding off of people's web browsers for sustance and to propagate? cuz that's what i got from this whole thread.
http://www.orthanc.co.nz/showimg.php?image=6
OH NOES!!1!1 SUMWON HAS STOELED YUOR JIF OR JAYPEG EXTENSHUN!!1!11!./fwer
I know perfectly well how to do that. But I don't see the need.
I'd prefer people just learn a bit more about HTTP.
how hard is it to learn php from say... nothing.
It's quite easy if you have a basic concept of other computer languages. If, by 'nothing', you mean 'absolutely nothing', then it may be a bit harder.
Unknown User on
0
Munkus BeaverYou don't have to attend every argument you are invited to.Philosophy: Stoicism. Politics: Democratic SocialistRegistered User, ClubPAregular
wait....is my avatar an evil alien parasite feeding off of people's web browsers for sustance and to propagate? cuz that's what i got from this whole thread.
http://www.orthanc.co.nz/showimg.php?image=6
OH NOES!!1!1 SUMWON HAS STOELED YUOR JIF OR JAYPEG EXTENSHUN!!1!11!./fwer
i actually heard my brain shriek in pain while reading that
now it's trying to gnaw its way out of my skull, thanks jackass.
Munkus Beaver on
Humor can be dissected as a frog can, but dies in the process.
wait....is my avatar an evil alien parasite feeding off of people's web browsers for sustance and to propagate? cuz that's what i got from this whole thread.
http://www.orthanc.co.nz/showimg.php?image=6
OH NOES!!1!1 SUMWON HAS STOELED YUOR JIF OR JAYPEG EXTENSHUN!!1!11!./fwer
i actually heard my brain shriek in pain while reading that
now it's trying to gnaw its way out of my skull, thanks jackass.
I sent you more on AIM in an attempt to have your brain gnaw faster to make the pain go by quicker, but you weren't around.
I R TEH SAD NOW.
Unknown User on
0
OrthancDeath Lite, Only 1 CalorieOff the end of the internet, just turn left.Registered User, ClubPAregular
Making it look like a gif to browsers that don't follow w3c standards and look at the file extension instead of the mime type (i.e. internet explorer).
Making it look like a gif to browsers that don't follow w3c standards and look at the file extension instead of the mime type (i.e. internet explorer).
Are you sure? In a past life I did ASP development, which involved passing filenames in querystrings, and I don't believe that affected the mime type that IE was thinking the content was.
Once it hits the question mark it saves the rest as form/querystring variables. Unless you've played with this specifically. I'm not trying to profess expetise.
Anyway...
My experements in this random images resulted in this:
A didn't embed that as I want you to see a specific (undesirable) phenomenon: browser caching seems to entirely destroy the concept. If you shift-reload, you'll get random images. If you just reload, you don't. You seem to have experience in this matter, so I'm wondering if you can advise.
apotheos on
猿も木から落ちる
0
OrthancDeath Lite, Only 1 CalorieOff the end of the internet, just turn left.Registered User, ClubPAregular
Making it look like a gif to browsers that don't follow w3c standards and look at the file extension instead of the mime type (i.e. internet explorer).
Are you sure? In a past life I did ASP development, which involved passing filenames in querystrings, and I don't believe that affected the mime type that IE was thinking the content was.
Once it hits the question mark it saves the rest as form/querystring variables. Unless you've played with this specifically. I'm not trying to profess expetise.
Anyway...
My experements in this random images resulted in this:
A didn't embed that as I want you to see a specific (undesirable) phenomenon: browser caching seems to entirely destroy the concept. If you shift-reload, you'll get random images. If you just reload, you don't. You seem to have experience in this matter, so I'm wondering if you can advise.
Doesn't affect the mime type, but it does affect the way IE handles the file. For example (this is one I hit at work) if you are outputting a CSV, setting the mime type to the csv one (I can't remember it off the top of my head, but it does exist) IE won't handle it properly. But if you make the entire url end in .cvs as I did above with gif, IE will open it with the CSV helper application (Usually Excell).
All this is just a result of Microsofts efforts to combine local file system browsing (file extentions) with web browsing (mime types).
As for your problem, you need to put in some cache controll headers to stop it being cached. I presume the random.jpg is actually a script of some sort, in which case it will have a method for setting HTTP headers. It can be done in the server configuration as well but I;ve never looked into how.
here is the PHP code for fixing it, you'll have to convert it to whatever language you're using
// Date in the past
header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
// always modified
header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
// HTTP/1.1
header("Cache-Control: no-store, no-cache, must-revalidate");
header("Cache-Control: post-check=0, pre-check=0", false);
// HTTP/1.0
header("Pragma: no-cache");
As this is a small and stupid side project to my "real work", I haven't spent much time on it. However this problem only seems to creep in to graphics files. I thought there was something particular to that MIME type perhaps. I know, I'm trying to snatch straws.
There is a complicated series of proxy rewrites involved in serving this document too, so it makes conquoring this mess all that much more difficult when my default assumptions get contradicted. I am starting to suspect one of them is eating my headers. Now to find out which one.
apotheos on
猿も木から落ちる
0
OrthancDeath Lite, Only 1 CalorieOff the end of the internet, just turn left.Registered User, ClubPAregular
edited January 2004
I've noticed that the no-cache headers don't seem to work perfectly with graphics. I think it's just that because of the comparitivly large size of pictures browsers tend to cache them a bit more aggressivly. But they seem to work for most of it, I'd be surprised if it wasn't refreshing at all.
The other thing to check is that the headers are actually being sent. There are programs that will show you what headers are actually being sent / recieved. though I'm having trouble finding one to link.
Posts
So it's no more dangerous for PA than linking to a PHP page on my server.
If there was a security hole in the script then my server would be at risk, but there isn't.
Anyway, because of the way HTTP works it's actually impossible for your browser, or PA's server to determine that it's a PHP rather than a static image.
I should be asked before I execute a script on your server.
Then I could say no.
I we restrict avatars to .gif and .jpg files, then most server-side processing languages will be foiled. Those who reconfigure their server to execute .gif and .jpg files will still slip through, but then we have mods yell at them.
Because that is what they are there for.
猿も木から落ちる
Why?
My thoughts exactly. The Data your computer recieves is EXACTLY the same as if it was a static image.
It is impossible for it to affect your computer in any way because it doesn't execute on your computer.
I've been trying to reach you, but your extension cord doesn't reach that far.
ohnoes!
If it makes you feel better, my sig is actually totally static, so you don't have to feel dirty and violated on my account.
Ahh a nice Unix process listing
Wait a minuite, Safari? iTunes? AppleSpell?
You're running MacOS X aren't you?
You're dead to me.
Are you sure you know how this all works?
Hooray!
猿も木から落ちる
Yes. Quite.
猿も木から落ちる
My advice to you is to not go to websites you think have questionsble content.
"If you're going to play tiddly winks, play it with man hole covers."
- John McCallum
Oh, you're worried about information collection why didn't you just say so.
Any information I could save out of a PHP avatar I can just get from my server logs if I use a static image.
The teenagers using them? Or the devices themselves?
pix plz
rename your script to .gif or whatever
in your .htaccess (assuming you are running apache)
that means it is ran as php but it looks like an image
猿も木から落ちる
I'd prefer people just learn a bit more about HTTP.
Seriously, I'd like to know what it is you are worried about.
About the only information that I can think you'd be worried about is your IP, but that is in the server logs even if you just access a normal image.
...and with a PHP script you have access to the entire request object and can manipulate the entire response object.
Now, I'm not a PHP code monkey, but I know that with that ability, combined with bugs in specific browsers, and a 301 Content Moved, you could probably whip up some cookie-stealing. I've got some thoughts about how that could be done in not-PHP.
No?
猿も木から落ちる
I do not understand, Sam I Am.
Through the logs I have access to the entire request
Through the server configuration I can manipulate the entire responce on a static image.
As for cookie stealing I doubt it. Cookies are only sent to the specific server. So they don't get sent to my scripts at all.
Additionally most browsers block 3rd party cookies by default, so scripts like that on a differnt server can't set or recieve cookies anyway.
This is actually a different thing
OH NOES!!1!1 SUMWON HAS STOELED YUOR JIF OR JAYPEG EXTENSHUN!!1!11!./fwer
how hard is it to learn php from say... nothing.
It's quite easy if you have a basic concept of other computer languages. If, by 'nothing', you mean 'absolutely nothing', then it may be a bit harder.
i actually heard my brain shriek in pain while reading that
now it's trying to gnaw its way out of my skull, thanks jackass.
I sent you more on AIM in an attempt to have your brain gnaw faster to make the pain go by quicker, but you weren't around.
I R TEH SAD NOW.
Yeah. If you understand programming in other languages, then 1 day tops to get the hang of basic PHP, everything above that is just practice.
If you're not familiar with anything then it will take a bit longer, but the manual at www.php.net should still be sufficient.
Senor, have you seen this trick
http://www.orthanc.co.nz/showimg.php?image=6&/munkus_av.gif
Uh, what's the trick?
Making it look like a gif to browsers that don't follow w3c standards and look at the file extension instead of the mime type (i.e. internet explorer).
Are you sure? In a past life I did ASP development, which involved passing filenames in querystrings, and I don't believe that affected the mime type that IE was thinking the content was.
Once it hits the question mark it saves the rest as form/querystring variables. Unless you've played with this specifically. I'm not trying to profess expetise.
Anyway...
My experements in this random images resulted in this:
http://www.uleth.ca/it/random.jpg
A didn't embed that as I want you to see a specific (undesirable) phenomenon: browser caching seems to entirely destroy the concept. If you shift-reload, you'll get random images. If you just reload, you don't. You seem to have experience in this matter, so I'm wondering if you can advise.
猿も木から落ちる
Doesn't affect the mime type, but it does affect the way IE handles the file. For example (this is one I hit at work) if you are outputting a CSV, setting the mime type to the csv one (I can't remember it off the top of my head, but it does exist) IE won't handle it properly. But if you make the entire url end in .cvs as I did above with gif, IE will open it with the CSV helper application (Usually Excell).
All this is just a result of Microsofts efforts to combine local file system browsing (file extentions) with web browsing (mime types).
As for your problem, you need to put in some cache controll headers to stop it being cached. I presume the random.jpg is actually a script of some sort, in which case it will have a method for setting HTTP headers. It can be done in the server configuration as well but I;ve never looked into how.
here is the PHP code for fixing it, you'll have to convert it to whatever language you're using
// Date in the past
header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
// always modified
header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
// HTTP/1.1
header("Cache-Control: no-store, no-cache, must-revalidate");
header("Cache-Control: post-check=0, pre-check=0", false);
// HTTP/1.0
header("Pragma: no-cache");
As this is a small and stupid side project to my "real work", I haven't spent much time on it. However this problem only seems to creep in to graphics files. I thought there was something particular to that MIME type perhaps. I know, I'm trying to snatch straws.
There is a complicated series of proxy rewrites involved in serving this document too, so it makes conquoring this mess all that much more difficult when my default assumptions get contradicted. I am starting to suspect one of them is eating my headers. Now to find out which one.
猿も木から落ちる
The other thing to check is that the headers are actually being sent. There are programs that will show you what headers are actually being sent / recieved. though I'm having trouble finding one to link.