It is standard for Jupitermedia forums that the forum settings be defaulted to not allowing dynamic image tags. VBForums has had this setting turned on. Until recently, this has not been abused and so I've left the setting alone. The setting has now been turned off because it has been abused.
Sorry - it is a security issue, so it is now turned off. Feel free to yell and scream at me if you have issue with this -- unless you are one of those that abused it.
Brad!
Have you given out your reputation points today? Select the Rate This Post link to give points for good posts!
-------------------------------------------------------------
Brad! Jones
Lots of Software, LLC (I wrote: C Programming in One Hour a Day)(Dad Jokes Book)(Follow me on Twitter)
--------------------------------------------------------------
Originally posted by mendhak Isn't there an option which allows you to enable dynamic images for signatures only?
Correct. That option was turned off.
Brad!
Have you given out your reputation points today? Select the Rate This Post link to give points for good posts!
-------------------------------------------------------------
Brad! Jones
Lots of Software, LLC (I wrote: C Programming in One Hour a Day)(Dad Jokes Book)(Follow me on Twitter)
--------------------------------------------------------------
When your thread has been resolved please edit the original post in the thread ()
and amend "-[RESOLVED]-" to the end of the title and change the icon to , Thank you.
When posting Code use the [VBCode]Code Here[/VBCode] tags to be able to use the code highlighting.
It isn't possible to limit the file types that the Image Tag works on? or that it only allows vbforums Attachments (obviously would still need to disable php. .
When your thread has been resolved please edit the original post in the thread ()
and amend "-[RESOLVED]-" to the end of the title and change the icon to , Thank you.
When posting Code use the [VBCode]Code Here[/VBCode] tags to be able to use the code highlighting.
The change should only have hurt you if you are using PHP for the image. The issue is in allowing the img tag to run PHP code.
You should still be able to link to image files (jpg, gif, etc) with no issue.
Brad
Have you given out your reputation points today? Select the Rate This Post link to give points for good posts!
-------------------------------------------------------------
Brad! Jones
Lots of Software, LLC (I wrote: C Programming in One Hour a Day)(Dad Jokes Book)(Follow me on Twitter)
--------------------------------------------------------------
Originally posted by Spetnik What malicious activity can be done by a php? PHP is a server-side script which can do no more to a browser than a jpg or a gif (when used in an image tag).
They are not conserned about the browser, they are worried about their server.
Originally posted by kasracer They are not conserned about the browser, they are worried about their server.
The PHP wouldn't be run on their server, apart from their own scripts (e.g. Attachment.php), would it?
So does this mean I can put me graphics on my own Site then link em over?
When your thread has been resolved please edit the original post in the thread ()
and amend "-[RESOLVED]-" to the end of the title and change the icon to , Thank you.
When posting Code use the [VBCode]Code Here[/VBCode] tags to be able to use the code highlighting.
Originally posted by NotLKH
Its Good to be The King!
He's just done the same thing I have done. Hosted it myself as a .gif or .jpg file.
When your thread has been resolved please edit the original post in the thread ()
and amend "-[RESOLVED]-" to the end of the title and change the icon to , Thank you.
When posting Code use the [VBCode]Code Here[/VBCode] tags to be able to use the code highlighting.
I've talked to the system admin and we've agreed to change the setting back.
We will simply ban individuals that do anything inappropriate. If you are not sure if something is inappropriate, then I suggest asking before doing.
I'd like to thank those of you that raised the issue in a constructive manner. (Both that caused the setting to be turned off and now to be turned back on.)
Brad!
Have you given out your reputation points today? Select the Rate This Post link to give points for good posts!
-------------------------------------------------------------
Brad! Jones
Lots of Software, LLC (I wrote: C Programming in One Hour a Day)(Dad Jokes Book)(Follow me on Twitter)
--------------------------------------------------------------
When your thread has been resolved please edit the original post in the thread ()
and amend "-[RESOLVED]-" to the end of the title and change the icon to , Thank you.
When posting Code use the [VBCode]Code Here[/VBCode] tags to be able to use the code highlighting.
I won't post how it was abused because that will just tempt a number of people to try a few things out. No point in tempting anyone .
Things that are inappropriate can be determined by reading the Acceptable Usage Policy. That details most things.
Brad!
Have you given out your reputation points today? Select the Rate This Post link to give points for good posts!
-------------------------------------------------------------
Brad! Jones
Lots of Software, LLC (I wrote: C Programming in One Hour a Day)(Dad Jokes Book)(Follow me on Twitter)
--------------------------------------------------------------
There is a limit to the number of PMs. I'm not sure what the setting is. You can always delete old ones to make more room.
Brad
Have you given out your reputation points today? Select the Rate This Post link to give points for good posts!
-------------------------------------------------------------
Brad! Jones
Lots of Software, LLC (I wrote: C Programming in One Hour a Day)(Dad Jokes Book)(Follow me on Twitter)
--------------------------------------------------------------
Originally posted by brad jones There is a limit to the number of PMs. I'm not sure what the setting is. You can always delete old ones to make more room.
After thinking about it... the only real security issue is that you could track people with it. Anyone seen those images where they tell you what browser and OS your using? The other possibility is that it could perhaps replace the image with something else down the track?
I don't think it would allow code execution, since all its doing is taking the text from the [IMG] tags, and not actually opening the file itself. Not on the VBF server atleast, and since PHP is server side, you'd have to use include/require, meaning that you should have trouble with PHP code...
On the page is another matter, as in theory I guess you could put anything you wanted in there, like a frame? Since the file requested would be turned into HTML on the server of the image and then displayed somehow... ?:dunno:
Anyone want to slap me silly/agree with me? Be it in this thread or otherwise.
Sorry, I'm making my own PHP forum software, so its an interesting thing to think about.
By doing that, you could execute whatever PHP code you wanted, but the only thing you could return is an image. Returning anything else will give you one of those cool little boxes with a red X in it (well, in IE, anyways).
Originally posted by The Hobo I'll slap you later.
By doing that, you could execute whatever PHP code you wanted, but the only thing you could return is an image. Returning anything else will give you one of those cool little boxes with a red X in it (well, in IE, anyways).
Reply With Quote
)
, Thank you.
.
2009 - 2016
Be it in this thread or otherwise. 