As was foretold, we've added advertisements to the forums! If you have questions, or if you encounter any bugs, please visit this thread: https://forums.penny-arcade.com/discussion/240191/forum-advertisement-faq-and-reports-thread/

PHP Avatars

2»

Posts

  • ÄlphämönkëyÄlphämönkëy Registered User regular
    edited January 2004
    Due to the way phpBB refrences the images it is not a major vulnerability.
    it does $stuff, this would be an issue if the server fetched the value of $stuff and then manipulated it or something. Even worse the dreaded system( $stuff ), but none of those are true. T

    o me there is only one real concern, but that can not be helped. IPs. Simply put, a clever enough user could get the IP of any forumer with a little ammount of work. Unfortunatly the only way that threat could be eliminated would be with locally hosted avatars and disabling the image tags.

    Älphämönkëy on
  • apotheosapotheos Registered User, ClubPA regular
    edited January 2004
    I didn't mean to be an ass about this, sorry if I came off as one.

    Orthanc: if you come across that link in the future, it would be very usefull.

    apotheos on


    猿も木から落ちる
  • OrthancOrthanc Death Lite, Only 1 Calorie Registered User, ClubPA regular
    edited January 2004
    You'd also have to remove the url tag. to be safe.

    apotheos: I know you wern't trying to be an asshole. Your concern is legitmate but it's a problem with anything not hosted on the pa server, not just scripts.

    Orthanc on
    orthanc
  • RamiusRamius Joined: July 19, 2000 Administrator, ClubPA admin
    edited January 2004
    yeah, like the people above have said, we are pretty much limited to 3 options.

    1) Host all images on the server. This way we could guarantee that you are not getting anything but an image when you request the page.

    2) Allow no images at all. This one is pretty obvious.

    3) Allow remote linking of images. Once we decide to allow remote linking of images AT ALL, be it avatars, sigs, or bbcode in a post, we are opening the door to a potential risk. Now, the risk is small/acceptable in my opinion. Some people may feel it is an unacceptable risk, and they have a number of options ranging from adjusting their security settings in IE, to turning off images, to using a non-Microsoft browser.

    But there isn't a "special" risk just because we allow php-based avatars. As has been pointed out above, any file-extension can have a script behind it, and any remote-linking at all presents a risk of a browser-exploit. It is a risk inherent in using the internet at all.

    The sneakiest thing I can imagine someone REALISTICALLY doing is figuring out a particular forumers IP address, and then targetting them specifically with some sort of goatse-type prank.

    By the way, if you have a "real" browser like mozilla, a simple right-click->"block images from this server" will allow you to pick and choose who's images you do and do not trust.

    Ramius on
  • Grayman222Grayman222 Registered User
    edited January 2004
    ramius wrote:
    By the way, if you have a "real" browser like mozilla, a simple right-click->"block images from this server" will allow you to pick and choose who's images you do and do not trust.

    If these are stored in an easy to edit file could someone make one that auto blocks the most common urls of goatse, tubgirl, etc. ?

    Grayman222 on
    "A TRUE POSTHUNK" -150cc
  • RamiusRamius Joined: July 19, 2000 Administrator, ClubPA admin
    edited January 2004
    I believe the file you would want to edit would be userContent.css ( at least in firebird ), some searches in google should present plenty of tips for that. I searched for that + goatse, but all I found was a way to turn direct links a different color. No premade scripts to block the images.

    A good place to look for this sort of info would be the mozillazine.org forums. With a cursory glance I found that Proxomitron and the AdBlock plugin both come highly recommended.

    Ramius on
  • ÄlphämönkëyÄlphämönkëy Registered User regular
    edited January 2004
    I too have heard glowing things of Proxomitron. Personally I block goatse, tubgirl, lensman, gator.com, doubleclick.net, fastclick.net, */ads/*, */ad/* using my Netgear router. So unless you are willing to download goatse, upload it to your server using an arbitrary name, and link to it, Im safe. :wink:

    Älphämönkëy on
  • DogDog Registered User, Administrator, Vanilla Staff admin
    edited January 2004
    I too have heard glowing things of Proxomitron. Personally I block goatse, tubgirl, lensman, gator.com, doubleclick.net, fastclick.net, */ads/*, */ad/* using my Netgear router. So unless you are willing to download goatse, upload it to your server using an arbitrary name, and link to it, Im safe. :wink:

    Hmm...

    Unknown User on
  • Grayman222Grayman222 Registered User
    edited January 2004
    Thanks for the links Ramius.

    I'm going to look into Proxomitron later to see how much it would take to replace the images I don't want to see with a "Thank god I blocked this url" image. If that is too much work it looks like adblock can do exactly what i want it to do and the developer release will report what urls it blocks on each page.

    Within the next few months my parents are going to be getting a second pc and at this point I'll look into a router that I can customize to block sites.


    ...now for me to find out if my isp hosting will let me have a php avatar(it's showing the code in browsers currently)

    Grayman222 on
    "A TRUE POSTHUNK" -150cc
  • PaladinPaladin Registered User regular
    edited January 2004
    MINNESOTA

    Paladin on
    Marty: The future, it's where you're going?
    Doc: That's right, twenty five years into the future. I've always dreamed on seeing the future, looking beyond my years, seeing the progress of mankind. I'll also be able to see who wins the next twenty-five world series.
  • BesigedBBesigedB Registered User, ClubPA regular
    edited January 2004
    Paladin wrote:
    MINNESOTA

    CONNECTICUT?

    BesigedB on
    this is a small sig to not get in your way
  • MammalMammal Registered User regular
    edited July 2004
    Can anyone tell me how they went about implementing php image links in the safest way possible in phpbb ?

    Mammal on
    mkds9kt.png
  • RocketScienceRocketScience Registered User regular
    edited July 2004
    150cc wrote:
    I do not understand this thread.

    I do not understand, Sam I Am.
    I think it has something to do with the international Communist conspiracy to sap and impurify all of our precious bodily fluids.

    RocketScience on
  • MammalMammal Registered User regular
    edited July 2004
    What I'm asking is, how has Alpha/Ramius enabled php image linking in signatures without being vulnerable to exploits such as:
    [img]http://www.penny-arcade.com/forums/login.php?logout=true[/img]
    

    ??

    Mammal on
    mkds9kt.png
  • DogDog Registered User, Administrator, Vanilla Staff admin
    edited July 2004
    Mammal wrote:
    What I'm asking is, how has Alpha/Ramius enabled php image linking in signatures without being vulnerable to exploits such as:
    [img]http://www.penny-arcade.com/forums/login.php?logout=true[/img]
    

    ??

    See the 'chash' in the link when you click on a 'Mark forum read' or a 'Log out' link? That's how.

    Unknown User on
  • MammalMammal Registered User regular
    edited July 2004
    Mammal wrote:
    What I'm asking is, how has Alpha/Ramius enabled php image linking in signatures without being vulnerable to exploits such as:
    [img]http://www.penny-arcade.com/forums/login.php?logout=true[/img]
    

    ??

    See the 'chash' in the link when you click on a 'Mark forum read' or a 'Log out' link? That's how.

    Ah I see, very clever. The reason I ask is for the sake of my own forum. Was this a mod that they installed, or custom editing. How much work was it?

    I assume the mod session id prevents this sort of thing right?:
    [img]http://www.penny-arcade.com/forums/modcp.php?t=43159&mode=lock[/img]
    

    Mammal on
    mkds9kt.png
  • ObbiObbi Registered User, ClubPA regular
    edited July 2004
    Mammal wrote:
    I assume the mod session id prevents this sort of thing right?:
    [img]http://www.penny-arcade.com/forums/modcp.php?t=43159&mode=lock[/img]
    

    Something like that, yeah.

    Obbi on
  • denihilistdenihilist Ancient and Mighty Registered User, Moderator mod
    edited July 2004
    Mammal wrote:
    Mammal wrote:
    What I'm asking is, how has Alpha/Ramius enabled php image linking in signatures without being vulnerable to exploits such as:
    [img]http://www.penny-arcade.com/forums/login.php?logout=true[/img]
    

    ??

    See the 'chash' in the link when you click on a 'Mark forum read' or a 'Log out' link? That's how.

    Ah I see, very clever. The reason I ask is for the sake of my own forum. Was this a mod that they installed, or custom editing. How much work was it?

    I assume the mod session id prevents this sort of thing right?:
    [img]http://www.penny-arcade.com/forums/modcp.php?t=43159&mode=lock[/img]
    

    The best way to deal with these questions is to contact alpha or ramius in private. That way, exploits like this are kept as private as possible.

    denihilist on
  • OrthancOrthanc Death Lite, Only 1 Calorie Registered User, ClubPA regular
    edited July 2004
    It was a custom change alpha made. Basically the confirmation hash is a MD5 hash of the url, the session ID and a "secret key" (read big random string). That prevents all possible variations that I'm aware off.

    Incidentally just checking filenames / file extentions does not prevent that being exploited.

    Orthanc on
    orthanc
  • ÄlphämönkëyÄlphämönkëy Registered User regular
    edited July 2004
    Orthanc wrote:
    It was a custom change alpha made. Basically the confirmation hash is a MD5 hash of the url, the session ID and a "secret key" (read big random string). That prevents all possible variations that I'm aware off.

    Incidentally just checking filenames / file extentions does not prevent that being exploited.
    Bingo. When I wrote the patch, I was in communication with Orthanc, SenorAmor, Ramius, & Snowcone to get their input on it as well, so they all fully understand both the exploit and the patch.

    I have the exploit and the patch both well documented and publicly available, but for some reason the phpBB group seems to ignore this entire issue and I refuse to undermine the phpBB group by releasing my own patch publicly. I will gladly talk privately with anyone about this, and in most cases I will share my patch given you are well intentioned and I have some degree of trust built up (generally being a regular around here is enough).

    The is the obligitory statement : I encourage people to always be looking at new ways to improve security and performance here at penny arcade. I will even let you "experiment" a little bit, given, you PM me in advance. If I see in the log files you are experimenting on the forums without talking to me first I will assume you are attempting to hack, and bad things will happen. A perma ban would be the lowest possible punishment, and in most cases I will contact your ISP and blacklist you from accessing any of the PA servers (this includes the main site).

    Älphämönkëy on
  • MammalMammal Registered User regular
    edited July 2004
    Thanks for the replies guys, new to admin myself, I'm keen to learn from you all.

    I'd love to hear more about your modifications and patches alpha if you've got time. I'll pm you in the next few days so we can do it privately if you wish.

    I hope I haven't said anything I shouldn't have. On that note, please feel free to edit my previous posts as you see fit.

    Mammal on
    mkds9kt.png
Sign In or Register to comment.