As was foretold, we've added advertisements to the forums! If you have questions, or if you encounter any bugs, please visit this thread: https://forums.penny-arcade.com/discussion/240191/forum-advertisement-faq-and-reports-thread/

PHP Avatars

apotheosapotheos Registered User, ClubPA regular
Is it just me,

Or is alowing the execution of scripts on an external website as an avatar a security flaw a mile wide?



猿も木から落ちる
apotheos on
«1

Posts

  • OrthancOrthanc Death Lite, Only 1 Calorie Registered User, ClubPA regular
    edited January 2004
    It's not a security flaw for PA. My script runs on my server.

    So it's no more dangerous for PA than linking to a PHP page on my server.

    If there was a security hole in the script then my server would be at risk, but there isn't.

    Anyway, because of the way HTTP works it's actually impossible for your browser, or PA's server to determine that it's a PHP rather than a static image.

    Orthanc on
    orthanc
  • apotheosapotheos Registered User, ClubPA regular
    edited January 2004
    Orthanc wrote:
    It's not a security flaw for PA. My script runs on my server.

    So it's no more dangerous for PA than linking to a PHP page on my server.

    If there was a security hole in the script then my server would be at risk, but there isn't.

    Anyway, because of the way HTTP works it's actually impossible for your browser, or PA's server to determine that it's a PHP rather than a static image.

    I should be asked before I execute a script on your server.

    Then I could say no.

    I we restrict avatars to .gif and .jpg files, then most server-side processing languages will be foiled. Those who reconfigure their server to execute .gif and .jpg files will still slip through, but then we have mods yell at them.

    Because that is what they are there for.

    apotheos on


    猿も木から落ちる
  • 90X Double Side90X Double Side Registered User
    edited January 2004
    apotheos wrote:
    I should be asked before I execute a script on your server.

    Why?

    90X Double Side on
  • OrthancOrthanc Death Lite, Only 1 Calorie Registered User, ClubPA regular
    edited January 2004
    apotheos wrote:
    I should be asked before I execute a script on your server.

    Why?

    My thoughts exactly. The Data your computer recieves is EXACTLY the same as if it was a static image.

    It is impossible for it to affect your computer in any way because it doesn't execute on your computer.

    Orthanc on
    orthanc
  • BergyBergy Registered User regular
    edited January 2004
    ORTHANC IS TRYING TO HACK OUR MEGAHURTZ!

    Bergy on
    ChicagoBulls01.jpg
    I've been trying to reach you, but your extension cord doesn't reach that far.
  • 90X Double Side90X Double Side Registered User
    edited January 2004
    Bergy wrote:
    ORTHANC IS TRYING TO HACK OUR MEGAHURTZ!
    PID COMMAND  MEGAHURTZ   TIME   #TH #PRTS #MREGS RPRVT  RSHRD  RSIZE  VSIZE
    29342 httpd        0.0%  0:00.03   1    10    94   420K  2.05M- 1.95M  29.6M
    24697 tail         0.0%  0:00.02   1    11    17    28K   284K   640K  17.6M
    24321 httpd        0.0%  0:00.07   1    10    96   268K  2.04M- 1.93M  29.6M
    21818 STOLED!!!1! 19.0% 75:37.97   3   112  1113  41.3M  5.45M- 33.0M-  279M 
    19247 tail         0.0%  0:00.04   1    11    17    40K   284K   216K  17.6M
    18088 Snak         0.9% 70:32.44  12   220   396  6.77M  9.89M  9.42M   275M
    15641 snort        0.0%  4:16.37   1     9   250  6.75M   576K  3.88M  61.3M
    15626 LetterStic   0.0% 16:18.18   6   211   306  2.09M  9.02M  10.8M   239M
    12692 Mail         0.0%  6:22.06  11   268   473  9.51M  10.9M  14.7M   254M 
     9693  java         1.4%  6:56.28  17   244   168  5.23M  1.07M  6.09M   249M
     5600  iChat        0.0%  2:56.96   8   229   350  3.61M  11.4M  8.19M   255M
     5591  iTunes       2.8% 91:12.74   5   224   473  2.20M  8.38M- 4.05M+  274M
     5589  Safari      21.3%  3:48:07  16   324  1233  67.2M+ 19.1M- 77.2M+  455M+
     5431  tail         0.0%  0:00.03   1    11    17    40K   284K   216K  17.6M
     2443  AppleSpell   0.0%  0:06.73   1    50    39   588K  1.27M  1.39M  36.3M
     2194  System Eve   1.9% 11:19.29   1    57   132   796K  2.52M  2.03M   203M
    

    ohnoes!

    If it makes you feel better, my sig is actually totally static, so you don't have to feel dirty and violated on my account.

    90X Double Side on
  • OrthancOrthanc Death Lite, Only 1 Calorie Registered User, ClubPA regular
    edited January 2004
    Bergy wrote:
    ORTHANC IS TRYING TO HACK OUR MEGAHURTZ!
    PID COMMAND  MEGAHURTZ   TIME   #TH #PRTS #MREGS RPRVT  RSHRD  RSIZE  VSIZE
    29342 httpd        0.0%  0:00.03   1    10    94   420K  2.05M- 1.95M  29.6M
    24697 tail         0.0%  0:00.02   1    11    17    28K   284K   640K  17.6M
    24321 httpd        0.0%  0:00.07   1    10    96   268K  2.04M- 1.93M  29.6M
    21818 STOLED!!!1! 19.0% 75:37.97   3  112  1113  41.3M  5.45M- 33.0M-  279M 
    19247 tail         0.0%  0:00.04   1    11    17    40K   284K   216K  17.6M
    18088 Snak         0.9% 70:32.44  12   220   396  6.77M  9.89M  9.42M   275M
    15641 snort        0.0%  4:16.37   1     9   250  6.75M   576K  3.88M  61.3M
    15626 LetterStic   0.0% 16:18.18   6   211   306  2.09M  9.02M  10.8M   239M
    12692 Mail         0.0%  6:22.06  11   268   473  9.51M  10.9M  14.7M   254M 
     9693  java         1.4%  6:56.28  17   244   168  5.23M  1.07M  6.09M   249M
     5600  iChat        0.0%  2:56.96   8   229   350  3.61M  11.4M  8.19M   255M
     5591  iTunes       2.8% 91:12.74   5   224   473  2.20M  8.38M- 4.05M+  274M
     5589  Safari      21.3%  3:48:07  16   324  1233  67.2M+ 19.1M- 77.2M+  455M+
     5431  tail         0.0%  0:00.03   1    11    17    40K   284K   216K  17.6M
     2443  AppleSpell   0.0%  0:06.73   1    50    39   588K  1.27M  1.39M  36.3M
     2194  System Eve   1.9% 11:19.29   1    57   132   796K  2.52M  2.03M   203M
    

    ohnoes!

    If it makes you feel better, my sig is actually totally static, so you don't have to feel dirty and violated on my account.

    Ahh a nice Unix process listing

    Wait a minuite, Safari? iTunes? AppleSpell?

    You're running MacOS X aren't you?

    You're dead to me.

    Orthanc on
    orthanc
  • NovaDaddyNovaDaddy Registered User
    edited January 2004
    apotheos wrote:
    Orthanc wrote:
    It's not a security flaw for PA. My script runs on my server.

    So it's no more dangerous for PA than linking to a PHP page on my server.

    If there was a security hole in the script then my server would be at risk, but there isn't.

    Anyway, because of the way HTTP works it's actually impossible for your browser, or PA's server to determine that it's a PHP rather than a static image.

    I should be asked before I execute a script on your server.

    Then I could say no.

    I we restrict avatars to .gif and .jpg files, then most server-side processing languages will be foiled. Those who reconfigure their server to execute .gif and .jpg files will still slip through, but then we have mods yell at them.

    Because that is what they are there for.

    Are you sure you know how this all works?

    NovaDaddy on
  • apotheosapotheos Registered User, ClubPA regular
    edited January 2004
    I'm so very glad I'm exposed to the wide world of PHP information collection and possible exploits, when I ask for an avatar.

    Hooray!

    apotheos on


    猿も木から落ちる
  • apotheosapotheos Registered User, ClubPA regular
    edited January 2004
    NovaDaddy wrote:
    Are you sure you know how this all works?

    Yes. Quite.

    apotheos on


    猿も木から落ちる
  • NovaDaddyNovaDaddy Registered User
    edited January 2004
    apotheos wrote:
    I'm so very glad I'm exposed to the wide world of PHP information collection and possible exploits, when I ask for an avatar.

    Hooray!

    My advice to you is to not go to websites you think have questionsble content.

    NovaDaddy on
  • StarfuckStarfuck Registered User, ClubPA regular
    edited January 2004
    If you are running any sort of real security, you would get prompted if a script was trying to be run from another server on your browser. What you're talking about is all server side, so it doesn't effect your browser at all. If you are so worried about having scripts run in your browser at least run Script Defender.

    Starfuck on
    jackfaces
    "If you're going to play tiddly winks, play it with man hole covers."
    - John McCallum
  • OrthancOrthanc Death Lite, Only 1 Calorie Registered User, ClubPA regular
    edited January 2004
    apotheos wrote:
    I'm so very glad I'm exposed to the wide world of PHP information collection and possible exploits, when I ask for an avatar.

    Hooray!

    Oh, you're worried about information collection why didn't you just say so.

    Any information I could save out of a PHP avatar I can just get from my server logs if I use a static image.

    Orthanc on
    orthanc
  • TezkahTezkah Registered User
    edited January 2004
    I just caught my 15 year old girl, masturbating with a vibrating 'control pad' on a Nintendo Gamecube. Now I am banning this vibrator from my household, but I am concerned about other teenagers who are using these products as masturbation aids, so I say we ban them from our forums.

    Tezkah on
  • matt has a problemmatt has a problem Points to 'off' Points to 'on'Registered User regular
    edited January 2004
    Tezkah wrote:
    I just caught my 15 year old girl, masturbating with a vibrating 'control pad' on a Nintendo Gamecube. Now I am banning this vibrator from my household, but I am concerned about other teenagers who are using these products as masturbation aids, so I say we ban them from our forums.

    The teenagers using them? Or the devices themselves?

    pix plz

    matt has a problem on
    nibXTE7.png
  • OrthancOrthanc Death Lite, Only 1 Calorie Registered User, ClubPA regular
    edited January 2004
    megahurtz.bmp

    Orthanc on
    orthanc
  • BesigedBBesigedB Registered User, ClubPA regular
    edited January 2004
    orthanc: to stop people worrying

    rename your script to .gif or whatever

    in your .htaccess (assuming you are running apache)
    <Files av.gif> 
    ForceType application/x-httpd-php 
    </Files>
    

    that means it is ran as php but it looks like an image

    BesigedB on
    this is a small sig to not get in your way
  • apotheosapotheos Registered User, ClubPA regular
    edited January 2004
    It was a fair concern. If the admins here don't share that concern, you don't need to go cloaking it on my behalf.

    apotheos on


    猿も木から落ちる
  • OrthancOrthanc Death Lite, Only 1 Calorie Registered User, ClubPA regular
    edited January 2004
    I know perfectly well how to do that. But I don't see the need.

    I'd prefer people just learn a bit more about HTTP.

    Orthanc on
    orthanc
  • OrthancOrthanc Death Lite, Only 1 Calorie Registered User, ClubPA regular
    edited January 2004
    apotheos wrote:
    It was a fair concern. If the admins here don't share that concern, you don't need to go cloaking it on my behalf.

    Seriously, I'd like to know what it is you are worried about.

    About the only information that I can think you'd be worried about is your IP, but that is in the server logs even if you just access a normal image.

    Orthanc on
    orthanc
  • apotheosapotheos Registered User, ClubPA regular
    edited January 2004
    Orthanc wrote:
    I know perfectly well how to do that. But I don't see the need.

    I'd prefer people just learn a bit more about HTTP.

    ...and with a PHP script you have access to the entire request object and can manipulate the entire response object.

    Now, I'm not a PHP code monkey, but I know that with that ability, combined with bugs in specific browsers, and a 301 Content Moved, you could probably whip up some cookie-stealing. I've got some thoughts about how that could be done in not-PHP.

    No?

    apotheos on


    猿も木から落ちる
  • 150cc150cc Registered User, ClubPA regular
    edited January 2004
    I do not understand this thread.

    I do not understand, Sam I Am.

    150cc on
  • OrthancOrthanc Death Lite, Only 1 Calorie Registered User, ClubPA regular
    edited January 2004
    apotheos wrote:
    Orthanc wrote:
    I know perfectly well how to do that. But I don't see the need.

    I'd prefer people just learn a bit more about HTTP.

    ...and with a PHP script you have access to the entire request object and can manipulate the entire response object.

    Now, I'm not a PHP code monkey, but I know that with that ability, combined with bugs in specific browsers, and a 301 Content Moved, you could probably whip up some cookie-stealing. I've got some thoughts about how that could be done in not-PHP.

    No?

    Through the logs I have access to the entire request
    Through the server configuration I can manipulate the entire responce on a static image.

    As for cookie stealing I doubt it. Cookies are only sent to the specific server. So they don't get sent to my scripts at all.
    Additionally most browsers block 3rd party cookies by default, so scripts like that on a differnt server can't set or recieve cookies anyway.

    Orthanc on
    orthanc
  • DeusfauxDeusfaux Registered User regular
    edited January 2004
    by the way orthanc, i resent that PM about this whole thing

    Deusfaux on
  • OrthancOrthanc Death Lite, Only 1 Calorie Registered User, ClubPA regular
    edited January 2004
    Deusfaux wrote:
    by the way orthanc, i resent that PM about this whole thing

    This is actually a different thing

    Orthanc on
    orthanc
  • DeusfauxDeusfaux Registered User regular
    edited January 2004
    yeah, but i remember ap talking about security risks with my thing too. i really dont know much about this.. but we're pming now soooo woot!

    Deusfaux on
  • Munkus BeaverMunkus Beaver Registered User, ClubPA regular
    edited January 2004
    wait....is my avatar an evil alien parasite feeding off of people's web browsers for sustance and to propagate? cuz that's what i got from this whole thread.

    Munkus Beaver on
    Twitch Channel
    Steam: munkus_beaver
    Humor can be dissected, as a frog can, but it dies in the process.
    http://www.ccfa.org/
  • DogDog Registered User, Administrator, Vanilla Staff admin
    edited January 2004
    wait....is my avatar an evil alien parasite feeding off of people's web browsers for sustance and to propagate? cuz that's what i got from this whole thread.
    http://www.orthanc.co.nz/showimg.php?image=6
    

    OH NOES!!1!1 SUMWON HAS STOELED YUOR JIF OR JAYPEG EXTENSHUN!!1!11!./fwer

    Unknown User on
  • futilityfutility Registered User, ClubPA regular
    edited January 2004
    Orthanc wrote:
    I know perfectly well how to do that. But I don't see the need.

    I'd prefer people just learn a bit more about HTTP.

    how hard is it to learn php from say... nothing.

    futility on
  • DogDog Registered User, Administrator, Vanilla Staff admin
    edited January 2004
    futility wrote:
    Orthanc wrote:
    I know perfectly well how to do that. But I don't see the need.

    I'd prefer people just learn a bit more about HTTP.

    how hard is it to learn php from say... nothing.

    It's quite easy if you have a basic concept of other computer languages. If, by 'nothing', you mean 'absolutely nothing', then it may be a bit harder.

    Unknown User on
  • Munkus BeaverMunkus Beaver Registered User, ClubPA regular
    edited January 2004
    wait....is my avatar an evil alien parasite feeding off of people's web browsers for sustance and to propagate? cuz that's what i got from this whole thread.
    http://www.orthanc.co.nz/showimg.php?image=6
    

    OH NOES!!1!1 SUMWON HAS STOELED YUOR JIF OR JAYPEG EXTENSHUN!!1!11!./fwer

    i actually heard my brain shriek in pain while reading that

    now it's trying to gnaw its way out of my skull, thanks jackass.

    Munkus Beaver on
    Twitch Channel
    Steam: munkus_beaver
    Humor can be dissected, as a frog can, but it dies in the process.
    http://www.ccfa.org/
  • DogDog Registered User, Administrator, Vanilla Staff admin
    edited January 2004
    wait....is my avatar an evil alien parasite feeding off of people's web browsers for sustance and to propagate? cuz that's what i got from this whole thread.
    http://www.orthanc.co.nz/showimg.php?image=6
    

    OH NOES!!1!1 SUMWON HAS STOELED YUOR JIF OR JAYPEG EXTENSHUN!!1!11!./fwer

    i actually heard my brain shriek in pain while reading that

    now it's trying to gnaw its way out of my skull, thanks jackass.

    I sent you more on AIM in an attempt to have your brain gnaw faster to make the pain go by quicker, but you weren't around.

    I R TEH SAD NOW. :(

    Unknown User on
  • OrthancOrthanc Death Lite, Only 1 Calorie Registered User, ClubPA regular
    edited January 2004
    futility wrote:
    Orthanc wrote:
    I know perfectly well how to do that. But I don't see the need.

    I'd prefer people just learn a bit more about HTTP.

    how hard is it to learn php from say... nothing.

    It's quite easy if you have a basic concept of other computer languages. If, by 'nothing', you mean 'absolutely nothing', then it may be a bit harder.

    Yeah. If you understand programming in other languages, then 1 day tops to get the hang of basic PHP, everything above that is just practice.

    If you're not familiar with anything then it will take a bit longer, but the manual at www.php.net should still be sufficient.



    Senor, have you seen this trick

    http://www.orthanc.co.nz/showimg.php?image=6&/munkus_av.gif

    Orthanc on
    orthanc
  • DogDog Registered User, Administrator, Vanilla Staff admin
    edited January 2004
    Orthanc wrote:
    futility wrote:
    Orthanc wrote:
    I know perfectly well how to do that. But I don't see the need.

    I'd prefer people just learn a bit more about HTTP.

    how hard is it to learn php from say... nothing.

    It's quite easy if you have a basic concept of other computer languages. If, by 'nothing', you mean 'absolutely nothing', then it may be a bit harder.

    Yeah. If you understand programming in other languages, then 1 day tops to get the hang of basic PHP, everything above that is just practice.

    If you're not familiar with anything then it will take a bit longer, but the manual at www.php.net should still be sufficient.



    Senor, have you seen this trick

    http://www.orthanc.co.nz/showimg.php?image=6&/munkus_av.gif

    Uh, what's the trick?

    Unknown User on
  • OrthancOrthanc Death Lite, Only 1 Calorie Registered User, ClubPA regular
    edited January 2004
    Orthanc wrote:
    futility wrote:
    Orthanc wrote:
    I know perfectly well how to do that. But I don't see the need.

    I'd prefer people just learn a bit more about HTTP.

    how hard is it to learn php from say... nothing.

    It's quite easy if you have a basic concept of other computer languages. If, by 'nothing', you mean 'absolutely nothing', then it may be a bit harder.

    Yeah. If you understand programming in other languages, then 1 day tops to get the hang of basic PHP, everything above that is just practice.

    If you're not familiar with anything then it will take a bit longer, but the manual at www.php.net should still be sufficient.



    Senor, have you seen this trick

    http://www.orthanc.co.nz/showimg.php?image=6&/munkus_av.gif

    Uh, what's the trick?

    Making it look like a gif to browsers that don't follow w3c standards and look at the file extension instead of the mime type (i.e. internet explorer).

    Orthanc on
    orthanc
  • apotheosapotheos Registered User, ClubPA regular
    edited January 2004
    Orthanc wrote:
    Making it look like a gif to browsers that don't follow w3c standards and look at the file extension instead of the mime type (i.e. internet explorer).

    Are you sure? In a past life I did ASP development, which involved passing filenames in querystrings, and I don't believe that affected the mime type that IE was thinking the content was.

    Once it hits the question mark it saves the rest as form/querystring variables. Unless you've played with this specifically. I'm not trying to profess expetise.

    Anyway...

    My experements in this random images resulted in this:

    http://www.uleth.ca/it/random.jpg

    A didn't embed that as I want you to see a specific (undesirable) phenomenon: browser caching seems to entirely destroy the concept. If you shift-reload, you'll get random images. If you just reload, you don't. You seem to have experience in this matter, so I'm wondering if you can advise.

    apotheos on


    猿も木から落ちる
  • OrthancOrthanc Death Lite, Only 1 Calorie Registered User, ClubPA regular
    edited January 2004
    apotheos wrote:
    Orthanc wrote:
    Making it look like a gif to browsers that don't follow w3c standards and look at the file extension instead of the mime type (i.e. internet explorer).

    Are you sure? In a past life I did ASP development, which involved passing filenames in querystrings, and I don't believe that affected the mime type that IE was thinking the content was.

    Once it hits the question mark it saves the rest as form/querystring variables. Unless you've played with this specifically. I'm not trying to profess expetise.

    Anyway...

    My experements in this random images resulted in this:

    http://www.uleth.ca/it/random.jpg

    A didn't embed that as I want you to see a specific (undesirable) phenomenon: browser caching seems to entirely destroy the concept. If you shift-reload, you'll get random images. If you just reload, you don't. You seem to have experience in this matter, so I'm wondering if you can advise.

    Doesn't affect the mime type, but it does affect the way IE handles the file. For example (this is one I hit at work) if you are outputting a CSV, setting the mime type to the csv one (I can't remember it off the top of my head, but it does exist) IE won't handle it properly. But if you make the entire url end in .cvs as I did above with gif, IE will open it with the CSV helper application (Usually Excell).
    All this is just a result of Microsofts efforts to combine local file system browsing (file extentions) with web browsing (mime types).

    As for your problem, you need to put in some cache controll headers to stop it being cached. I presume the random.jpg is actually a script of some sort, in which case it will have a method for setting HTTP headers. It can be done in the server configuration as well but I;ve never looked into how.

    here is the PHP code for fixing it, you'll have to convert it to whatever language you're using

    // Date in the past
    header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
    // always modified
    header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
    // HTTP/1.1
    header("Cache-Control: no-store, no-cache, must-revalidate");
    header("Cache-Control: post-check=0, pre-check=0", false);
    // HTTP/1.0
    header("Pragma: no-cache");

    Orthanc on
    orthanc
  • apotheosapotheos Registered User, ClubPA regular
    edited January 2004
    I've already done that. Pooh.

    As this is a small and stupid side project to my "real work", I haven't spent much time on it. However this problem only seems to creep in to graphics files. I thought there was something particular to that MIME type perhaps. I know, I'm trying to snatch straws.

    There is a complicated series of proxy rewrites involved in serving this document too, so it makes conquoring this mess all that much more difficult when my default assumptions get contradicted. I am starting to suspect one of them is eating my headers. Now to find out which one.

    apotheos on


    猿も木から落ちる
  • OrthancOrthanc Death Lite, Only 1 Calorie Registered User, ClubPA regular
    edited January 2004
    I've noticed that the no-cache headers don't seem to work perfectly with graphics. I think it's just that because of the comparitivly large size of pictures browsers tend to cache them a bit more aggressivly. But they seem to work for most of it, I'd be surprised if it wasn't refreshing at all.

    The other thing to check is that the headers are actually being sent. There are programs that will show you what headers are actually being sent / recieved. though I'm having trouble finding one to link.

    Orthanc on
    orthanc
  • BesigedBBesigedB Registered User, ClubPA regular
    edited January 2004
    there is a headers addon for mozilla

    BesigedB on
    this is a small sig to not get in your way
Sign In or Register to comment.