Limit avatar image types

John connor · Post by **John connor** » Fri Oct 18, 2019 10:59 pm

How do I go about limiting the type of file extension used for avatars? Looks like I can only do this for attachments. Reason I ask is that I know a png can be laced with a malicious payload and I'd rather limit that extension. tif and tga might also be vulnerable.

3Di · Post by **3Di** » Sat Oct 19, 2019 1:15 am

https://github.com/phpbb/phpbb/blob/c75 ... hp#L60-L74

Gumboots · Post by **Gumboots** » Sat Oct 19, 2019 1:55 am

If you're really paranoid, I know gif can carry a payload too. Even a blank 1px gif. I'm wouldn't be surprised if it can be done with any image format, but I expect that phpBB will sanitise avatars anyway.

EA117 · Post by **EA117** » Sat Oct 19, 2019 4:46 am

Also keeping in mind that "the extension on the file" is not the same thing as "the content in the file." But it is at least something. Good to know where you could limit or expand the list of extensions, regardless.

Like Gumboots indicated, if "can have" malicious code is the threshold, then there isn't any format currently in that list which is immune.

Post by **Mick** » Sat Oct 19, 2019 9:30 am

John connor wrote: ↑
Fri Oct 18, 2019 10:59 pm
I know a png can be laced with a malicious payload and I'd rather limit that extension. tif and tga might also be vulnerable

It’s possible for ANY image file to be ‘infected’ or ‘programmed’ with malware. Stopping PNG’s alone is only a small part of it.

canonknipser · Post by **canonknipser** » Sat Oct 19, 2019 1:29 pm

Mick wrote: ↑
Sat Oct 19, 2019 9:30 am
Stopping PNG’s alone is only a small part of it.

yes, it's true not only for images, but for nearly any file format. So, to keep you board free of injection through resources not controlled by yourself, you should

disable attachments
disable [img]-tags
disable external linking
disable posting (someone can tell people to visit a certain web site which injects visitor's local devices or write down a malicious shell script and tell others to execute it on their local machine)
and finally disable your board - internet is a high risky environment , so nobody should visit it.

John connor · Post by **John connor** » Sun Oct 20, 2019 8:05 am

Gumboots wrote: ↑
Sat Oct 19, 2019 1:55 am
If you're really paranoid, I know gif can carry a payload too. Even a blank 1px gif. I'm wouldn't be surprised if it can be done with any image format, but I expect that phpBB will sanitise avatars anyway.

I don't understand. All I found on malicious gifs was this: https://giphy.com/explore/malicious-payload

No, I read this: https://www.opswat.com/blog/hacking-pic ... ow-stop-it

I guess I'll just leave it at be. No sense in changing it. I can use a script that will scan all uploads for viruses. But I need an extension created that will allow it to be used due to Ajax. The script is here: https://github.com/phpMussel/phpMussel

Question: Does phpBB's MIME sniff ability help prevent this sort of thing with the correct MIME type?

Post by **Marc** » Thu Oct 24, 2019 7:43 pm

If you read that post then you should have come to the conclusion that while images can carry additional data, one would have to be able to inject something like a script tag or have the server execute that additional data somehow. I don't see this applying to phpBB.

The MIME type IMHO has nothing to do with what is being explained in this.

John connor · Post by **John connor** » Sat Oct 26, 2019 10:39 am

So the payload can't be executed in the browser?

Gumboots · Post by **Gumboots** » Sun Oct 27, 2019 1:22 am

Such things have been done in the past, but they have been well-known hacks for years and everyone has implemented safeguards against them. But obviously there is no such thing as 100% certainty, because there is no way of knowing about vulnerabilities that haven't been found yet, so if you are genuinely concerned about it you will have to block all images. Personally I'd take my chances.

advertisements