dynamic/php signature

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
flogger12
Registered User
Posts: 14936
Joined: Tue Nov 25, 2003 2:13 am

Post by flogger12 »

why would you want to allow anyone to run php or other types of scripts on your board by doing this. that is why it was disallowed several versions ago.
if you enable this , someone with the knowledge , could put a script in their sig file that could completely destroy your board and/or server.

are you getting the picture here.




robert
KevDesigns
Registered User
Posts: 62
Joined: Thu Apr 14, 2005 12:05 pm
Location: Florida
Contact:

Post by KevDesigns »

yes i understand but i dont think anyone on my board would do such thing or has the knowledge.
beatme101
Registered User
Posts: 2866
Joined: Sat Jan 01, 2005 6:20 am
Location: The country cold comes from; Canada.
Contact:

Post by beatme101 »

KevDesigns wrote: yes i allowed enabled html in ACP and in the allowed html tags i added <img> and img because i wasnt sure which one i was supposed to put. it still didnt work.


take <img> out. then it should work...

the field should say something like...
b,i,u,pre,img
starfoxtj
Registered User
Posts: 3714
Joined: Tue Jul 29, 2003 2:01 am
Contact:

Post by starfoxtj »

flogger12 wrote: why would you want to allow anyone to run php or other types of scripts on your board by doing this. that is why it was disallowed several versions ago.
if you enable this , someone with the knowledge , could put a script in their sig file that could completely destroy your board and/or server.

are you getting the picture here.




robert


I was told my techi michal that using my method to get dynamic images do not pose a security threat. (And as far as I know, cant be prevented).
Admin ToolKit v2.1a - An Admins most helpful tool for user management. Now Supports Mass User Deletion!
Change User's: names, passwords, emails, active status and avatar/pm permissions.
Ban/Unban Users, change Post and Resync Counts, and promote/demote users to admin.
Completely independent from your phpbb user account settings. No installation required, just upload one file.
User Upload ToolKit Beta - A quick and easy, 30 second-install, attachment mod. Now Supports Dynamic Thumbnails!
flogger12
Registered User
Posts: 14936
Joined: Tue Nov 25, 2003 2:13 am

Post by flogger12 »

starfoxtj wrote:
flogger12 wrote:why would you want to allow anyone to run php or other types of scripts on your board by doing this. that is why it was disallowed several versions ago.
if you enable this , someone with the knowledge , could put a script in their sig file that could completely destroy your board and/or server.

are you getting the picture here.




robert


I was told my techi michal that using my method to get dynamic images do not pose a security threat. (And as far as I know, cant be prevented).

I haven't tried any of this, and I am certainly no expert at all. However, if you can hide a image display php script in a folder named pic.gif, then what would get you from hiding a php script that would attack the server in that folder?

I don't know, it just seems logical to me.

anyway, good luck with it, personally, I would rather not see images in sig files anyway.


robert
User avatar
SnowManrcd
Registered User
Posts: 155
Joined: Tue Oct 21, 2003 6:05 pm

Post by SnowManrcd »

flogger12 wrote: then what would get you from hiding a php script that would attack the server in that folder?

I don't know, it just seems logical to me.

anyway, good luck with it, personally, I would rather not see images in sig files anyway.


robert


Understandable but because PHP is server scripting the php file would be exicuted on the server on which it is stored and then output the image to the boards. the exicution wouldnt be taking place on the same server as the boards.

at least that is how I understand it, please corect me if I am wrong
-SnowMan
starfoxtj
Registered User
Posts: 3714
Joined: Tue Jul 29, 2003 2:01 am
Contact:

Post by starfoxtj »

You are correct snow.
The only damage that can come from php sigs (at least my way) is the same amount of damage I or anyone else can do by sticking a php file on their own server and executing it.

The ONLY thing it can get about the users viewing it is an IP address/browser type etc, but you can do that with apache's htaccess files anyways.
Admin ToolKit v2.1a - An Admins most helpful tool for user management. Now Supports Mass User Deletion!
Change User's: names, passwords, emails, active status and avatar/pm permissions.
Ban/Unban Users, change Post and Resync Counts, and promote/demote users to admin.
Completely independent from your phpbb user account settings. No installation required, just upload one file.
User Upload ToolKit Beta - A quick and easy, 30 second-install, attachment mod. Now Supports Dynamic Thumbnails!
Locked

Return to “2.0.x Support Forum”