Page 1 of 1

Limit avatar image types

Posted: Fri Oct 18, 2019 10:59 pm
by John connor
How do I go about limiting the type of file extension used for avatars? Looks like I can only do this for attachments. Reason I ask is that I know a png can be laced with a malicious payload and I'd rather limit that extension. tif and tga might also be vulnerable.

Re: Limit avatar image types

Posted: Sat Oct 19, 2019 1:15 am
by 3Di

Re: Limit avatar image types

Posted: Sat Oct 19, 2019 1:55 am
by Gumboots
If you're really paranoid, I know gif can carry a payload too. Even a blank 1px gif. I'm wouldn't be surprised if it can be done with any image format, but I expect that phpBB will sanitise avatars anyway.

Re: Limit avatar image types

Posted: Sat Oct 19, 2019 4:46 am
by EA117
Also keeping in mind that "the extension on the file" is not the same thing as "the content in the file." But it is at least something. Good to know where you could limit or expand the list of extensions, regardless.

Like Gumboots indicated, if "can have" malicious code is the threshold, then there isn't any format currently in that list which is immune.

Re: Limit avatar image types

Posted: Sat Oct 19, 2019 9:30 am
by Mick
John connor wrote:
Fri Oct 18, 2019 10:59 pm
I know a png can be laced with a malicious payload and I'd rather limit that extension. tif and tga might also be vulnerable
It’s possible for ANY image file to be ‘infected’ or ‘programmed’ with malware. Stopping PNG’s alone is only a small part of it.

Re: Limit avatar image types

Posted: Sat Oct 19, 2019 1:29 pm
by canonknipser
Mick wrote:
Sat Oct 19, 2019 9:30 am
Stopping PNG’s alone is only a small part of it.
yes, it's true not only for images, but for nearly any file format. So, to keep you board free of injection through resources not controlled by yourself, you should
  • disable attachments
  • disable [img]-tags
  • disable external linking
  • disable posting (someone can tell people to visit a certain web site which injects visitor's local devices or write down a malicious shell script and tell others to execute it on their local machine)
  • and finally disable your board - internet is a high risky environment , so nobody should visit it.

Re: Limit avatar image types

Posted: Sun Oct 20, 2019 8:05 am
by John connor
Gumboots wrote:
Sat Oct 19, 2019 1:55 am
If you're really paranoid, I know gif can carry a payload too. Even a blank 1px gif. I'm wouldn't be surprised if it can be done with any image format, but I expect that phpBB will sanitise avatars anyway.
I don't understand. All I found on malicious gifs was this: https://giphy.com/explore/malicious-payload :lol:

No, I read this: https://www.opswat.com/blog/hacking-pic ... ow-stop-it


I guess I'll just leave it at be. No sense in changing it. I can use a script that will scan all uploads for viruses. But I need an extension created that will allow it to be used due to Ajax. The script is here: https://github.com/phpMussel/phpMussel

Question: Does phpBB's MIME sniff ability help prevent this sort of thing with the correct MIME type?

Re: Limit avatar image types

Posted: Thu Oct 24, 2019 7:43 pm
by Marc
If you read that post then you should have come to the conclusion that while images can carry additional data, one would have to be able to inject something like a script tag or have the server execute that additional data somehow. I don't see this applying to phpBB.

The MIME type IMHO has nothing to do with what is being explained in this.

Re: Limit avatar image types

Posted: Sat Oct 26, 2019 10:39 am
by John connor
So the payload can't be executed in the browser?

Re: Limit avatar image types

Posted: Sun Oct 27, 2019 1:22 am
by Gumboots
Such things have been done in the past, but they have been well-known hacks for years and everyone has implemented safeguards against them. But obviously there is no such thing as 100% certainty, because there is no way of knowing about vulnerabilities that haven't been found yet, so if you are genuinely concerned about it you will have to block all images. Personally I'd take my chances.