Page 1 of 1

Dynamic Images ?

Posted: Mon May 02, 2005 5:37 pm
by mrdicb
Is there a mod available that allows users to post dymamic images, as in:

Code: Select all

[img]http://domain.com/image.php?id=1234[/img]
a specific example woule be:
Image

Posted: Mon May 02, 2005 9:08 pm
by CLee
image links to a script was removed as they pose a rather serious XSS security threat.

Posted: Mon May 02, 2005 9:19 pm
by espicom
Expanding on Carlos' statement, everything in PHPBB that allows a dynamic "whatever" is posted on sites like SecurityFocus as a vulnerability. Allow HTML, and you get reported for not properly "cleaning" the HTML of bad things like Javascript. Allow generated images, and you written up for Cross-site scripting (XSS) vulnerabilities. You see the trend.

Because Internet Explorer has so many things that can cause it to do bad things to the user's computer, anything dynamic is going to have to be considered a security problem. I've already seen one report that says that the fact that PHPBB doesn't verify that a posted image link really is an image, instead of a "stealth" script, it's a security problem. THAT is a ridiculous claim, in my opinion!

Posted: Mon May 02, 2005 11:00 pm
by mrdicb
when you say it is a xss security issue, do you mean to MY system or another site's system?

Sorry if that is a dumb question, but I am installing an image shack syle photo upload script onto my server, and It uses dynamic images, as explained above. Could I make it so it only acceped dynamic images from my own server? (either a sub-domain of my forum or a different domain on the same server)

Posted: Mon May 02, 2005 11:23 pm
by Lumpy Burgertushie
the problem is, that a php or other type of script can be executed on your server from a sig file. now I dont think you want that. do you?


robert

Posted: Tue May 03, 2005 3:34 am
by espicom
mrdicb wrote: when you say it is a xss security issue, do you mean to MY system or another site's system?


It's a browser issue, mainly. Let's say I put an "image" link in that is really a script that says, "Do an HTTP post to the PHPBB website with the instructions to delete forum #3 from the website", and someone with admin privileges on your board reads a message with that link in it.

Now imagine the havoc you'd go through trying to recover from that.

That's just one possibility of an XSS vulnerability.

Posted: Tue May 03, 2005 3:51 am
by mrdicb
thanks all for your info... looks like I'm going to need another solution.

Posted: Tue May 03, 2005 4:06 am
by espicom
This subject comes up from time to time, so we see a lot of "what if we ..." type solutions floated. And I've even had people approach me via PM on how to write an appropriate regular expression to allow CERTAIN SERVERS to provide dynamic images, while not allowing "every" server to do so. To the point that I don't even read PMs from some people anymore... I don't have THAT MUCH free time!

One possibility exists for "vetting" images, but it will increase your bandwidth usage. A script could be written to open a remote URL and load its response, check that it is a real image, then send that to the browser. It would basically convert any IMG bbcode tags into calls to this special script, so the result would look kind of like:

Code: Select all

<img src=vette_img.php?http://domain.com/image.php?id=1234>
vette_img.php would connect to the URL, determine the image type (PNG, GIF, JPG), use the PHP GD functions to load the image, optionally resize it to match your specifications, then spit the result out to the browser.

This is the 10-pound sledgehammer approach. 8)

Posted: Tue May 03, 2005 4:13 am
by Lumpy Burgertushie
and I don't believe it will work in sig files because they are set to not process any link with php and/or ? in it I think.


robert

Posted: Tue May 03, 2005 4:24 am
by starfoxtj
Man I need a bookmark to my sig post...

Here:
http://www.phpbb.com/phpBB/viewtopic.ph ... ht=dynamic

Or:
http://www.phpbb.com/phpBB/viewtopic.ph ... ht=dynamic

You may prefer this code, its more condensed and easier to work with:

Code: Select all

<?php

function randomize( $array )

   {
	
	$array_num = count( $array ) - 1;
	$rand_num = rand( 0, $array_num );

	return $array[$rand_num];

   }

$image= randomize( array(

	"images/cat.jpg",
	"images/dog.jpg",
	"images/superman.jpg",
	"images/coolio.jpg"

	) );

header( "Location: http://domain.com/$image" );


?>

Posted: Tue May 03, 2005 5:08 pm
by mrdicb
espicom wrote: This subject comes up from time to time, so we see a lot of "what if we ..." type solutions floated. And I've even had people approach me via PM on how to write an appropriate regular expression to allow CERTAIN SERVERS to provide dynamic images, while not allowing "every" server to do so. To the point that I don't even read PMs from some people anymore... I don't have THAT MUCH free time!

One possibility exists for "vetting" images, but it will increase your bandwidth usage. A script could be written to open a remote URL and load its response, check that it is a real image, then send that to the browser. It would basically convert any IMG bbcode tags into calls to this special script, so the result would look kind of like:

Code: Select all

<img src=vette_img.php?http://domain.com/image.php?id=1234>
vette_img.php would connect to the URL, determine the image type (PNG, GIF, JPG), use the PHP GD functions to load the image, optionally resize it to match your specifications, then spit the result out to the browser.

This is the 10-pound sledgehammer approach. 8)


Great advice, if I can't find any other alternatives I might have to use this, but I hope it will be a last resort.

Posted: Tue May 03, 2005 5:59 pm
by Lumpy Burgertushie
if you want to unsecure your board, then you will have to do "last resorts"

that is the point, this has been disallowed for security reasons, if you don't care about your boards security, then you will have to undo the code or go in through the back door, etc. etc.


robert