Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
Doulos
Life Cycles Becoming CPU Cycles


Joined: Jun 06, 2005
Posts: 633

PostPosted: Fri Aug 17, 2007 11:07 am Reply with quote

I have a user who has a sig he wants to display using this format
Code:
[img]http://www.tournament.com/players/signatures/image.jpg?style=forumsig&username=Promeh[/img]
This does not display the image.

Are there any security issues I should worry about in adding <img> to the allowed html in our forums?
 
View user's profile Send private message
Guardian2003
Site Admin


Joined: Aug 28, 2003
Posts: 6793
Location: Ha Noi, Viet Nam

PostPosted: Fri Aug 17, 2007 12:00 pm Reply with quote

The html image tag should already be ther I think but in any event, the tag you are using in your example is a bbcode tag not a html tag.
 
View user's profile Send private message Send e-mail
Doulos
PostPosted: Fri Aug 17, 2007 7:31 pm Reply with quote

Ya, I know. What I mean is adding img to the allowed html in forums config. The example I gave above is what he tried to use. It will not display the image. I temporarily added img to the forums config allowed html tags and the image then DOES show when using <> instead of [].

Since the sig shows the image using <img>, but not using [img] there must be some difference. I want to know if having added img to the allowed html tags will cause any cause any security risks (more than without it)
 
Gremmie
Former Moderator in Good Standing


Joined: Apr 06, 2006
Posts: 2415
Location: Iowa, USA

PostPosted: Fri Aug 17, 2007 9:36 pm Reply with quote

That's one of those dynamic signatures, right? With game stats or something? It's not really a .jpg; it is pulling a script off that other server to generate the signature. He could easily point it to a bad script that does XSS. If you trust him, the server the sig comes from, and no one compromises that server, you'll be okay. You can decide if it is a risk worth taking.

_________________
Only registered users can see links on this board! Get registered or login! - An Event Calendar for PHP-Nuke
Only registered users can see links on this board! Get registered or login! - A Google Maps Nuke Module 
View user's profile Send private message
evaders99
Former Moderator in Good Standing


Joined: Apr 30, 2004
Posts: 3221

PostPosted: Sat Aug 18, 2007 1:42 am Reply with quote

phpBB added a check so that only .jpg, .gif, .png (possibly) are the only ones that could be used. While this kind of protection can be bypassed rather easily, it is still another security measure.

You can use mod_rewrite rules to give an easier URL, one that will take a .jpg and send it back to your PHP script

_________________
- Only registered users can see links on this board! Get registered or login! -

Need help? Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©