Ravens PHP Scripts: Forums
 

 
  Forum Index  •  Forum FAQ  •  Search  •  Memberlist  •  Usergroups  •  Profile  •  Log in to check your private messages  •  Log in

Enable remote avatars in Forums - Security Implications
 View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> BBtoNuke
Author Message
spasticdonkey
RavenNuke(tm) Development Team



Joined: Dec 02, 2006
Posts: 1693
Location: Texas, USA
PostPosted: Mon Mar 26, 2007 8:20 pm Reply with quote
Well as I usually do I searched your forums BEFORE posting a question which 9 times out of 10 solves my problem/question. But only posts I found about this were older than dirt. I have "Enable remote avatars" set to "ON" and wonder if I should reconsider... This is what I read

Quote:
This has been a known problem for a great deal of time. The fact is, webmasters should have that feature turned off for a variety of reasons, but the major reason being vulnerabilities.

Simply go to Forum Admin/General Configuration and disable "Enable remote avatars" to solve this problem.

If people want to have an avatar, they can pick one from the gallary or upload one. You shouldn't need to remote feed one in the first place.


I take it this feature has been secured some since these days, but is it still one of those features that is better left disabled? Is uploading an avatar less of a security risk than Enable remote avatars? I always thought allowing any sort of upload was the last thing you should allow...?

Also, if I disable this now, I assume any members' avatars that have been set in this manner wont work anymore...

Thanks in advance for your time Smile
Image RavensScripts

oh and btw I'm running latest RN distro and sentinel Smile
 
View user's profile Send private message Visit poster's website
Guardian2003
Site Admin



Joined: Aug 28, 2003
Posts: 6799
Location: Ha Noi, Viet Nam
PostPosted: Tue Mar 27, 2007 9:30 am Reply with quote
Security in that area has been improved but why take the chance?
If any of my users want their own avatar I'm quite happy to upload it for them and set it up in their account. I do make regular back-ups but I can really do without the hassle of someone linking to something nasty
 
View user's profile Send private message Send e-mail
spasticdonkey
PostPosted: Tue Mar 27, 2007 7:54 pm Reply with quote
thanks for the reply Smile guess I knew it in my gut but had to hear it Razz

which makes me wonder, what about forum signatures? Should I be turning that off too?
 
Guardian2003
PostPosted: Wed Mar 28, 2007 1:56 am Reply with quote
Turning off 'allow html' in the forum set up will help. I have never really used the signatures feature for images but I'm fairly sure you cannot actually 'upload' an image, instead it tends to be a remote link.
Again, this is vulnerable but you also have the added impact that linking to external content will usually slow your site down and in some cases when the image cannot be found, it can slow the site down quite badly. Make it a habit that wherever possible, your site only links to images that are uploaded to your hosting webspace.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> BBtoNuke


 Jump to:   




View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©