Due to the way phpBB refrences the images it is not a major vulnerability.
it does , this would be an issue if the server fetched the value of $stuff and then manipulated it or something. Even worse the dreaded system( $stuff ), but none of those are true. T
o me there is only one real concern, but that can not be helped. IPs. Simply put, a clever enough user could get the IP of any forumer with a little ammount of work. Unfortunatly the only way that threat could be eliminated would be with locally hosted avatars and disabling the image tags.
I didn't mean to be an ass about this, sorry if I came off as one.
Orthanc: if you come across that link in the future, it would be very usefull.
apotheos on
猿も木から落ちる
0
Options
OrthancDeath Lite, Only 1 CalorieOff the end of the internet, just turn left.Registered User, ClubPAregular
edited January 2004
You'd also have to remove the url tag. to be safe.
apotheos: I know you wern't trying to be an asshole. Your concern is legitmate but it's a problem with anything not hosted on the pa server, not just scripts.
Orthanc on
0
Options
RamiusJoined: July 19, 2000Administrator, ClubPAadmin
edited January 2004
yeah, like the people above have said, we are pretty much limited to 3 options.
1) Host all images on the server. This way we could guarantee that you are not getting anything but an image when you request the page.
2) Allow no images at all. This one is pretty obvious.
3) Allow remote linking of images. Once we decide to allow remote linking of images AT ALL, be it avatars, sigs, or bbcode in a post, we are opening the door to a potential risk. Now, the risk is small/acceptable in my opinion. Some people may feel it is an unacceptable risk, and they have a number of options ranging from adjusting their security settings in IE, to turning off images, to using a non-Microsoft browser.
But there isn't a "special" risk just because we allow php-based avatars. As has been pointed out above, any file-extension can have a script behind it, and any remote-linking at all presents a risk of a browser-exploit. It is a risk inherent in using the internet at all.
The sneakiest thing I can imagine someone REALISTICALLY doing is figuring out a particular forumers IP address, and then targetting them specifically with some sort of goatse-type prank.
By the way, if you have a "real" browser like mozilla, a simple right-click->"block images from this server" will allow you to pick and choose who's images you do and do not trust.
By the way, if you have a "real" browser like mozilla, a simple right-click->"block images from this server" will allow you to pick and choose who's images you do and do not trust.
If these are stored in an easy to edit file could someone make one that auto blocks the most common urls of goatse, tubgirl, etc. ?
Grayman222 on
"A TRUE POSTHUNK" -150cc
0
Options
RamiusJoined: July 19, 2000Administrator, ClubPAadmin
edited January 2004
I believe the file you would want to edit would be userContent.css ( at least in firebird ), some searches in google should present plenty of tips for that. I searched for that + goatse, but all I found was a way to turn direct links a different color. No premade scripts to block the images.
A good place to look for this sort of info would be the mozillazine.org forums. With a cursory glance I found that Proxomitron and the AdBlock plugin both come highly recommended.
I too have heard glowing things of Proxomitron. Personally I block goatse, tubgirl, lensman, gator.com, doubleclick.net, fastclick.net, */ads/*, */ad/* using my Netgear router. So unless you are willing to download goatse, upload it to your server using an arbitrary name, and link to it, Im safe.
I too have heard glowing things of Proxomitron. Personally I block goatse, tubgirl, lensman, gator.com, doubleclick.net, fastclick.net, */ads/*, */ad/* using my Netgear router. So unless you are willing to download goatse, upload it to your server using an arbitrary name, and link to it, Im safe.
I'm going to look into Proxomitron later to see how much it would take to replace the images I don't want to see with a "Thank god I blocked this url" image. If that is too much work it looks like adblock can do exactly what i want it to do and the developer release will report what urls it blocks on each page.
Within the next few months my parents are going to be getting a second pc and at this point I'll look into a router that I can customize to block sites.
...now for me to find out if my isp hosting will let me have a php avatar(it's showing the code in browsers currently)
Marty: The future, it's where you're going? Doc: That's right, twenty five years into the future. I've always dreamed on seeing the future, looking beyond my years, seeing the progress of mankind. I'll also be able to see who wins the next twenty-five world series.
The best way to deal with these questions is to contact alpha or ramius in private. That way, exploits like this are kept as private as possible.
denihilist on
0
Options
OrthancDeath Lite, Only 1 CalorieOff the end of the internet, just turn left.Registered User, ClubPAregular
edited July 2004
It was a custom change alpha made. Basically the confirmation hash is a MD5 hash of the url, the session ID and a "secret key" (read big random string). That prevents all possible variations that I'm aware off.
Incidentally just checking filenames / file extentions does not prevent that being exploited.
It was a custom change alpha made. Basically the confirmation hash is a MD5 hash of the url, the session ID and a "secret key" (read big random string). That prevents all possible variations that I'm aware off.
Incidentally just checking filenames / file extentions does not prevent that being exploited.
Bingo. When I wrote the patch, I was in communication with Orthanc, SenorAmor, Ramius, & Snowcone to get their input on it as well, so they all fully understand both the exploit and the patch.
I have the exploit and the patch both well documented and publicly available, but for some reason the phpBB group seems to ignore this entire issue and I refuse to undermine the phpBB group by releasing my own patch publicly. I will gladly talk privately with anyone about this, and in most cases I will share my patch given you are well intentioned and I have some degree of trust built up (generally being a regular around here is enough).
The is the obligitory statement : I encourage people to always be looking at new ways to improve security and performance here at penny arcade. I will even let you "experiment" a little bit, given, you PM me in advance. If I see in the log files you are experimenting on the forums without talking to me first I will assume you are attempting to hack, and bad things will happen. A perma ban would be the lowest possible punishment, and in most cases I will contact your ISP and blacklist you from accessing any of the PA servers (this includes the main site).
Thanks for the replies guys, new to admin myself, I'm keen to learn from you all.
I'd love to hear more about your modifications and patches alpha if you've got time. I'll pm you in the next few days so we can do it privately if you wish.
I hope I haven't said anything I shouldn't have. On that note, please feel free to edit my previous posts as you see fit.
Posts
it does , this would be an issue if the server fetched the value of $stuff and then manipulated it or something. Even worse the dreaded system( $stuff ), but none of those are true. T
o me there is only one real concern, but that can not be helped. IPs. Simply put, a clever enough user could get the IP of any forumer with a little ammount of work. Unfortunatly the only way that threat could be eliminated would be with locally hosted avatars and disabling the image tags.
Orthanc: if you come across that link in the future, it would be very usefull.
猿も木から落ちる
apotheos: I know you wern't trying to be an asshole. Your concern is legitmate but it's a problem with anything not hosted on the pa server, not just scripts.
1) Host all images on the server. This way we could guarantee that you are not getting anything but an image when you request the page.
2) Allow no images at all. This one is pretty obvious.
3) Allow remote linking of images. Once we decide to allow remote linking of images AT ALL, be it avatars, sigs, or bbcode in a post, we are opening the door to a potential risk. Now, the risk is small/acceptable in my opinion. Some people may feel it is an unacceptable risk, and they have a number of options ranging from adjusting their security settings in IE, to turning off images, to using a non-Microsoft browser.
But there isn't a "special" risk just because we allow php-based avatars. As has been pointed out above, any file-extension can have a script behind it, and any remote-linking at all presents a risk of a browser-exploit. It is a risk inherent in using the internet at all.
The sneakiest thing I can imagine someone REALISTICALLY doing is figuring out a particular forumers IP address, and then targetting them specifically with some sort of goatse-type prank.
By the way, if you have a "real" browser like mozilla, a simple right-click->"block images from this server" will allow you to pick and choose who's images you do and do not trust.
If these are stored in an easy to edit file could someone make one that auto blocks the most common urls of goatse, tubgirl, etc. ?
A good place to look for this sort of info would be the mozillazine.org forums. With a cursory glance I found that Proxomitron and the AdBlock plugin both come highly recommended.
Hmm...
I'm going to look into Proxomitron later to see how much it would take to replace the images I don't want to see with a "Thank god I blocked this url" image. If that is too much work it looks like adblock can do exactly what i want it to do and the developer release will report what urls it blocks on each page.
Within the next few months my parents are going to be getting a second pc and at this point I'll look into a router that I can customize to block sites.
...now for me to find out if my isp hosting will let me have a php avatar(it's showing the code in browsers currently)
Doc: That's right, twenty five years into the future. I've always dreamed on seeing the future, looking beyond my years, seeing the progress of mankind. I'll also be able to see who wins the next twenty-five world series.
CONNECTICUT?
??
See the 'chash' in the link when you click on a 'Mark forum read' or a 'Log out' link? That's how.
Ah I see, very clever. The reason I ask is for the sake of my own forum. Was this a mod that they installed, or custom editing. How much work was it?
I assume the mod session id prevents this sort of thing right?:
Something like that, yeah.
The best way to deal with these questions is to contact alpha or ramius in private. That way, exploits like this are kept as private as possible.
Incidentally just checking filenames / file extentions does not prevent that being exploited.
I have the exploit and the patch both well documented and publicly available, but for some reason the phpBB group seems to ignore this entire issue and I refuse to undermine the phpBB group by releasing my own patch publicly. I will gladly talk privately with anyone about this, and in most cases I will share my patch given you are well intentioned and I have some degree of trust built up (generally being a regular around here is enough).
The is the obligitory statement : I encourage people to always be looking at new ways to improve security and performance here at penny arcade. I will even let you "experiment" a little bit, given, you PM me in advance. If I see in the log files you are experimenting on the forums without talking to me first I will assume you are attempting to hack, and bad things will happen. A perma ban would be the lowest possible punishment, and in most cases I will contact your ISP and blacklist you from accessing any of the PA servers (this includes the main site).
I'd love to hear more about your modifications and patches alpha if you've got time. I'll pm you in the next few days so we can do it privately if you wish.
I hope I haven't said anything I shouldn't have. On that note, please feel free to edit my previous posts as you see fit.