[img][/img] and .php files

The 2.0.x discussion forum has been locked; this will remain read-only. The 3.0.x discussion forum has been renamed phpBB Discussion.
three_pineapples
Registered User
Posts: 260
Joined: Sat Nov 15, 2003 12:11 pm
Location: Australia
Contact:

[img][/img] and .php files

Post by three_pineapples »

one thing i have noticed since installing a phpBB2.0.8 board is that you can no-longer have .php files inside an [img] tag.

i found the line of code in includes/bbcode.php (line 284)

Code: Select all

$text = preg_replace("#\[img\]((ht|f)tp://)([^ \?&=\"\n\r\t<]*?(\.(jpg|jpeg|gif|png)))\[/img\]#sie", "'[img:$uid]\\1' . str_replace(' ', '%20', '\\3') . '[/img:$uid]'", $text);
now the dynamic signature MOD (basically a php file which ouputs an image, so it doesn't have to be that MOD) will no longer work because the bbcode is ignored if it does not have jpg, jped, gif, png as its extension.

I am wondering why this has been done and wether i will cause a security risk if i add php as a valid extension to this line of code.

thanx in advance (and hoping this isn't a support question as i can fix the problem)
Image
User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Post by Techie-Micheal »

It was done for security. You could do something like:

Image
or
Image
or do the same for deleting.
Proven Offensive Security Expertise. OSCP - GXPN
three_pineapples
Registered User
Posts: 260
Joined: Sat Nov 15, 2003 12:11 pm
Location: Australia
Contact:

Post by three_pineapples »

yeah...i see.

does anyone know of a possible safe (ie. one without the above listed security holes) workaround for it....because it would be great to have a dynamic sig still :?
Image
User avatar
Draegonis
Former Team Member
Posts: 3950
Joined: Mon Apr 22, 2002 3:12 pm
Location: Kµlt øƒ Ø
Contact:

Post by Draegonis »

Code the dynamic sig to actually output to a proper image format.
txuspe
Registered User
Posts: 73
Joined: Mon Nov 03, 2003 2:48 pm
Location: Spain

Post by txuspe »

You can try this:
[img]http://www.yourdomain.tld/image.php#image.gif[/img]
I thing it should work, but not perfectly.

Regards :wink:

PD: BBCode is OFF now, that's the reason the example doesn't work now.
three_pineapples
Registered User
Posts: 260
Joined: Sat Nov 15, 2003 12:11 pm
Location: Australia
Contact:

Post by three_pineapples »

well the fact that the code for producing the image is actually in a php file means that you have to point the image link to the actuall php file with the image code in it.

As far as i know their is no way to do what you suggested

EDIT: thanx for that....it worked :D
Image
_Ramius
Registered User
Posts: 11
Joined: Fri Jan 24, 2003 3:08 am

Post by _Ramius »

Techie-Micheal wrote: It was done for security. You could do something like:

Image
or
Image
or do the same for deleting.


Hi, I noticed there is a thread on this topic in the Support forum as well, but A) that forum moves so fast I'm afraid my post would get lost in the fold, and B) this is not a request for support, but a request for more information about changes made to phpBB

So hopefully posting in this forum is appropriate.

Can anybody verify with the development team what the security risk of non image extensions is? Because the code is not going into <a href=""></a> tags, it is going into <img> tags. Whatever sort of cross-site thingy you try to inject, the browser would be trying to interpret as binary data representing a known image format.

I don't understand how non-image extensions can conceivably introduce a security risk?

As txuspe showed, you can still link to non-image files just by fooling the reg-exp, so I don't see what this change is accomplishing except for breaking thousands of people's signature and avatar graphics.
txuspe
Registered User
Posts: 73
Joined: Mon Nov 03, 2003 2:48 pm
Location: Spain

Post by txuspe »

Yeah, but... The code is executed in the server so when the false image arrives to your computer, everything (good or bad) is done. Using a PHP file as an image is really dangerous, be sure of this.

Regards :wink:
three_pineapples
Registered User
Posts: 260
Joined: Sat Nov 15, 2003 12:11 pm
Location: Australia
Contact:

Post by three_pineapples »

i think this topic should be removed now.

obviously this has tried to be patched by the phpBB group but as there is a workaround i think this may constitute a security risk (and therefore be in breach of the phpBB regulations (the one that says don't post security problems on the forum)).

so could a moderator please delete this...

thanx
Image
User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Post by Techie-Micheal »

Proven Offensive Security Expertise. OSCP - GXPN
User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Post by Techie-Micheal »

As you can see, it doesn't work ... By the way, users do not decide what happens to topics.
Proven Offensive Security Expertise. OSCP - GXPN
txuspe
Registered User
Posts: 73
Joined: Mon Nov 03, 2003 2:48 pm
Location: Spain

Post by txuspe »

It doesn't work because:
  1. ".gif" must be the last letters.
  2. "?" cannot appear.
Regards :wink:
User avatar
Draegonis
Former Team Member
Posts: 3950
Joined: Mon Apr 22, 2002 3:12 pm
Location: Kµlt øƒ Ø
Contact:

Post by Draegonis »

jpg, jpeg, gif and png are permitted extensions for the [img] tag.

Edit: Furthermore, the image wont be displayed if the URI contains any characters, such as ?, #, &, etc.

Just to add to what txuspe was saying. :)
Last edited by Draegonis on Tue Apr 13, 2004 1:43 pm, edited 2 times in total.
User avatar
SHS`
Former Team Member
Posts: 6615
Joined: Wed Jul 04, 2001 9:13 am
Location: Yellow Beach, Nine Dragons, Hong Kong
Name: Jonathan Stanley
Contact:

Post by SHS` »

... and those circumventing the BBCode filtering will have their signatures removed.
Jonathan “SHS`” Stanley • 史德信
Image
three_pineapples
Registered User
Posts: 260
Joined: Sat Nov 15, 2003 12:11 pm
Location: Australia
Contact:

Post by three_pineapples »

ok. i'm sorry for any troubles caused.

i didn't realise that links with ? in wouldn't work
Locked

Return to “2.0.x Discussion”