BBCode showing a dynamic image?

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
mixx941
Registered User
Posts: 116
Joined: Thu Feb 13, 2003 12:57 pm

BBCode showing a dynamic image?

Post by mixx941 »

Hi everyone. I'm helping someone start a new forum up, and I've got a quick question.

On many forums around the net, we use a dynamic image for signatures (where allowed). Most of the forums granted are vBulletin, but our new forum we are starting is phpBB. I'm trying to get a dynamic image created by PHP into a post or signature, but every time the result even with the Image tag is it just shows the link to the .php page. Here is an example:

Image

That was done with:

Code: Select all

[url=http://www.party107.com][img]https://camo.phpbb.com/8aa05d17972aa393a35d5400cd2f5eb25b5db217/687474703a2f2f7777772e70617274793130372e636f6d2f50617274793130375f6e707369672e706870[/img][/url]
Can this be done? Thanks in advance.

-Mark
MIXXnet IRC Network: http://www.mixxnet.net | irc.mixxnet.net
mixx941
Registered User
Posts: 116
Joined: Thu Feb 13, 2003 12:57 pm

Post by mixx941 »

Friendly bump.
MIXXnet IRC Network: http://www.mixxnet.net | irc.mixxnet.net
CLee
Registered User
Posts: 511
Joined: Fri Nov 23, 2001 2:42 pm

Post by CLee »

You can't post any images that do not have the standard extensions of GIF, JP[E]G or PNG. This was because dynamic image linking created a serious security hole that allowed a hacker to play havoc with a board by deleting or locking posts and evening forcing people to logout. I believe that vBulletin is just as susceptible to the same type of hacking so long as they allow dynamic image linking.

EDIT: Fixed a mispelling of JPEG. Now how did I do that?
Last edited by CLee on Sun Jan 16, 2005 8:37 pm, edited 1 time in total.
Carlos Myers
A+, Network+
Member - Star Wars Roleplaying Club
tsjakkaa
Registered User
Posts: 261
Joined: Sat Mar 27, 2004 1:25 pm
Location: belgium
Contact:

Post by tsjakkaa »

this can't be done, as the bbcode-parser only allows image extensions (ie jpg,jpeg,gif,png)

but it isn't that hard to change it to make php as an allowed extension.

search for this line in includes/bbcode.php

Code: Select all

// [img]image_url_here[/img] code..
$text = preg_replace("#\[img\]((http|ftp|https|ftps)://)([^ \?&=\#\"\n\r\t<]*?(\.(jpg|jpeg|gif|png)))\[/img\]#sie", "'[img:$uid]\\1' . str_replace(' ', '%20', '\\3') . '[/img:$uid]'", $text);
just add php as extension to the regular expression:

Code: Select all

$text = preg_replace("#\[img\]((http|ftp|https|ftps)://)([^ \?&=\#\"\n\r\t<]*?(\.(jpg|jpeg|gif|png|php)))\[/img\]#sie", "'[img:$uid]\\1' . str_replace(' ', '%20', '\\3') . '[/img:$uid]'", $text);
Image
tsjakkaa
Registered User
Posts: 261
Joined: Sat Mar 27, 2004 1:25 pm
Location: belgium
Contact:

Post by tsjakkaa »

CLee wrote: ... This was because dynamic image linking created a serious security hole that allowed a hacker to play havoc with a board by deleting or locking posts and evening forcing people to logout...


sorry for this one

but I don't see the problem with this one
it just adds an html-tag for displaying an image to a page.
a browser requests this to a server just in the same way as it requests any other page. So it will also be handled with the same security measures as any other, normal page

can someone please provide me a reasonable explanation for this security issue?

sorry CLee, I've asked this question before in a thread where you mentioned this problem. and still no answer
http://www.phpbb.com/phpBB/viewtopic.ph ... highlight=
Image
CLee
Registered User
Posts: 511
Joined: Fri Nov 23, 2001 2:42 pm

Post by CLee »

All a hacker has to do is create a PHP file that is nothing more then a simple redirect to something like http://www.yourdomain.com/phpBB/login.php?logout=true. For simplicity sake, let's name this file logyouout.php

Then all the hacker needs to do is then install this on the victim board Image. Then anyone who views the thread will immediately be logged out when the URL is requested by their browser.
Carlos Myers
A+, Network+
Member - Star Wars Roleplaying Club
mixx941
Registered User
Posts: 116
Joined: Thu Feb 13, 2003 12:57 pm

Post by mixx941 »

Thanks for the replies everyone.

CLee: You said that it could be used by a hacker to lock or delete topics. Is that an easy thing to do, or would someone have to be really smart to do it? I understand that logout part, but that's not very harmful. Annoying, yes, but a well moderated board where every post is read would have that taken care of and the user banned immediately.

But if there is something very easily exploitable and a big security risk I would like to know about it.

Thanks

-Mark
MIXXnet IRC Network: http://www.mixxnet.net | irc.mixxnet.net
CLee
Registered User
Posts: 511
Joined: Fri Nov 23, 2001 2:42 pm

Post by CLee »

All too easily, unfortunately. It's just a simple matter of replacing the redirected URL that logs you out with the one that will locks or deletes a post. Then it's just a matter of waiting for a moderator or admin with the privileges to execute those actions to load the thread in their browser.
Carlos Myers
A+, Network+
Member - Star Wars Roleplaying Club
tsjakkaa
Registered User
Posts: 261
Joined: Sat Mar 27, 2004 1:25 pm
Location: belgium
Contact:

Post by tsjakkaa »

or just pm the image to the admin :?

I didn't really took in account this redirecting thing, but it can be really dangerous. But doesn't have phpBB a reasonable security so it can handle this type of hacking (something like an extra page to conform the action).

And if I really want to do such things, I will possibly also be able to have gif or pngs handled as php-files (that's just a bit of server-configuration), or use CGI. Then really no image is safe 8O

or is that just paranoia??

EDIT: I don't really asume this as a vulnerability or security threat (as this is stated in the rules)
It's a more general reflection of the use of images in an environment with different types of users and their possible power of doing 'administrative tasks'
Image
XTTX
Registered User
Posts: 234
Joined: Thu Jan 15, 2004 8:01 pm
Location: New York
Contact:

Post by XTTX »

Can you do this with a dynamic image extension onto the php? for example:
http://silvermu.game-server.cc/dynamic/ ... b]?id=XTTX[/b]
Also, if someone would like to help me with my connection problems

Ok Well. I got my dynamic image code, and I haven't tested it, but it should work.

Code: Select all

<?php
//Get character's name from the URL
$CHARACTER	= $_GET['id'];

//SQL Connection details
$conn = mssql_connect('localhost','sa','passwordremoved') or die('Could not make a connection to the Server'); 
$result = mssql_select_db('MuOnline', $conn) or die('Could not connect to the Database');

//SQL Query
$query = 'select Name,Class,cLevel,Strength,Agility,Vitality,Energy from Character where name = $CHARACTER';
$result = mssql_query( $query );
$row = mssql_fetch_row( $result );

//Class Info
if($row[1] == 0){
$CHR_CLASS = 'Dark Wizard';
}
if($row[1] == 1){
$CHR_CLASS = 'Soul Master';
}
//else{
if($row[1] == 16){
$CHR_CLASS = 'Dark Knight';
}
if($row[1] == 17){
$CHR_CLASS = 'Blade Knight';
}
if($row[1] == 32){
$CHR_CLASS = 'Elf';
}
if($row[1] == 33){
$CHR_CLASS = 'Muse Elf';
}
if($row[1] == 48){
$CHR_CLASS = 'Mage Gladiator';
}
if($row[1] == 64){
$CHR_CLASS = 'Darklord';
}
//Done

//Level Info
$LVL		= $row[2];
//Done

//Stength Info
$STRENGTH	= $row[3];
//Done

//Agility Info
$AGILITY	= $row[4];
//Done

//Vitality Info
$VITALITY	= $row[5];
//Done

//Energy Info
$ENERGY		= $row[6];
//Done

//Guild Info
$GUILD		= "TestGuild";
//Done

//Close Connection
$conn = mssql_close();
//Done

//Get Image File
$IMGVER_IMAGE = imagecreatefrompng("SilverMU Dynamic light.png");
//Done

//Set the color of the text
$TEXT_COLOR = ImageColorAllocate($IMGVER_IMAGE, 0, 0, 0);		//Set the color of the Stats
//Done

//Set Text Features (color,size etc.)
//The 6 , 30 , 40 in the code below sets
//the size and the X,Y coords of the text
imageString($IMGVER_IMAGE , 4 , 30 , 43 , "Character: " . $CHARACTER . "" ,$TEXT_COLOR);
imageString($IMGVER_IMAGE , 4 , 200 , 43 , "Class: " . $CHR_CLASS . "" ,$TEXT_COLOR);
imageString($IMGVER_IMAGE , 4 , 335 , 43 , "Guild: " . $GUILD . "" ,$TEXT_COLOR);
imageString($IMGVER_IMAGE , 4 , 30 , 65 , "Level: " . $LVL . "" ,$TEXT_COLOR);
imageString($IMGVER_IMAGE , 4 , 125 , 65 , "Str: " . $STRENGTH . "" ,$TEXT_COLOR);
imageString($IMGVER_IMAGE , 4 , 215 , 65 , "Agi: " . $AGILITY . "" ,$TEXT_COLOR);
imageString($IMGVER_IMAGE , 4 , 305 , 65 , "Vit: " . $VITALITY . "" ,$TEXT_COLOR);
imageString($IMGVER_IMAGE , 4 , 395 , 65 , "Nrg: " . $ENERGY . "" ,$TEXT_COLOR);
//Done

//Now We Send Image To The Browser
header("Content-type: image/png");
imagepng($IMGVER_IMAGE,'','100');
//Done
?>
And basically I want it to show the information that you see here (static image except for the charname)
http://silvermu.game-server.cc/dynamic/test.php?id=test

Which uses this code:

Code: Select all

<?php
//Server Name
$SERVER = "SilverMU";
//Character Info
$CHARACTER	= $_GET['id'];	//This gets the characters name from the URL
$CHR_CLASS	= "Darklord";	//Could be an SQL Query for this
$GUILD		= "TestGuild";	//Same as above
$LVL		= "350";
$STRENGTH	= "32000";
$AGILITY	= "32000";
$VITALITY	= "32000";
$ENERGY		= "32000";
//Done

//Get Image File
$IMGVER_IMAGE = imagecreatefrompng("SilverMU Dynamic light.png");
//Done

//Set the color of the text
$SERVER_COLOR = ImageColorAllocate($IMGVER_IMAGE, 200, 0, 0);	//Set the color of the Server Name
$TEXT_COLOR = ImageColorAllocate($IMGVER_IMAGE, 0, 0, 0);		//Set the color of the Stats
//Done

//Set Text Features (color,size etc.)
//The 6 , 30 , 40 in the code below sets
//the size and the X,Y coords of the text
imageString($IMGVER_IMAGE , 6 , 30 , 20 , $SERVER ,$SERVER_COLOR);
imageString($IMGVER_IMAGE , 4 , 30 , 43 , "Character: " . $CHARACTER . "" ,$TEXT_COLOR);
imageString($IMGVER_IMAGE , 4 , 200 , 43 , "Class: " . $CHR_CLASS . "" ,$TEXT_COLOR);
imageString($IMGVER_IMAGE , 4 , 335 , 43 , "Guild: " . $GUILD . "" ,$TEXT_COLOR);
imageString($IMGVER_IMAGE , 4 , 30 , 65 , "Level: " . $LVL . "" ,$TEXT_COLOR);
imageString($IMGVER_IMAGE , 4 , 125 , 65 , "Str: " . $STRENGTH . "" ,$TEXT_COLOR);
imageString($IMGVER_IMAGE , 4 , 215 , 65 , "Agi: " . $AGILITY . "" ,$TEXT_COLOR);
imageString($IMGVER_IMAGE , 4 , 305 , 65 , "Vit: " . $VITALITY . "" ,$TEXT_COLOR);
imageString($IMGVER_IMAGE , 4 , 395 , 65 , "Nrg: " . $ENERGY . "" ,$TEXT_COLOR);
//Done

//Now We Send Image To The Browser
header("Content-type: image/gif");
imagepng($IMGVER_IMAGE,'','100');
//Done
?>
The problem in the SQL data grabbing version is that it won't connect to my SQL server. Yes I used the right username, IP, password, and the server is online. I enabled the mssql.dll file. IIS is enabled. Username sa has been given all permissions. I'm using a D-Link 120g router w/ Appserv. So anyways can someone help me? And tell me if you find any errors in my code.
User avatar
SnowManrcd
Registered User
Posts: 155
Joined: Tue Oct 21, 2003 6:05 pm

Post by SnowManrcd »

corect me if I'm wrong, I'm thinkin this may not be possable but I figured I'd toss it out thre anyway.

when you request a dynamic image isnt one of the first things your script should send is the header information stating that the content type is an image??? with that dosent the browser only grab the image and all of the server scripting is done on the server that the image is contained on?

redirecting should not function like that so would there be a way to write a mod that simply states allow this link if its header declares it as an image and not to display it if otherwise? just a thought
-SnowMan
Blacketik
Registered User
Posts: 6
Joined: Tue Mar 08, 2005 5:58 am
Contact:

Post by Blacketik »

Hum, check my signature guy... its easy to do a dynamic image... you dont prevent hacking when you remove .php extension for dynamic image... he exist many ways to pass it.
flogger12
Registered User
Posts: 14936
Joined: Tue Nov 25, 2003 2:13 am

Post by flogger12 »

Blacketik wrote: Hum, check my signature guy... its easy to do a dynamic image... you dont prevent hacking when you remove .php extension for dynamic image... he exist many ways to pass it.


what you have done is somehow create a static gif image from your script before it is sent to the forum for display., that is fine, but if you were just linking to the php script that creates that image, it wouldn't work.
that is the point.



robert
User avatar
SnowManrcd
Registered User
Posts: 155
Joined: Tue Oct 21, 2003 6:05 pm

Post by SnowManrcd »

flogger12 wrote: if you were just linking to the php script that creates that image, it wouldn't work.
that is the point.

Not Necessaraly, his server may be set up to parse .jpg or .gif extensions as php in wihich case that is the php file.
-SnowMan
flogger12
Registered User
Posts: 14936
Joined: Tue Nov 25, 2003 2:13 am

Post by flogger12 »

SnowManrcd wrote:
flogger12 wrote:if you were just linking to the php script that creates that image, it wouldn't work.
that is the point.

Not Necessaraly, his server may be set up to parse .jpg or .gif extensions as php in wihich case that is the php file.

even so, it still solves the problem of hackers trying to run scripts in sig files.

I think,


robert
Locked

Return to “2.0.x Support Forum”