Limit avatar image types

Looking for an Extension? Have an Extension request? Post your request here for help. (Note: This forum is community supported; while there is an Extensions Development Team, said team does not dedicate itself to handling requests in this forum)
Anti-Spam Guide
Post Reply
User avatar
John connor
Registered User
Posts: 2331
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Name: Aaron
Contact:

Limit avatar image types

Post by John connor » Fri Oct 18, 2019 10:59 pm

How do I go about limiting the type of file extension used for avatars? Looks like I can only do this for attachments. Reason I ask is that I know a png can be laced with a malicious payload and I'd rather limit that extension. tif and tga might also be vulnerable.

User avatar
3Di
Former Team Member
Posts: 14477
Joined: Mon Apr 04, 2005 11:09 pm
Location: Milan (IT) Frankfurt (DE)
Name: Marco
Contact:

Re: Limit avatar image types

Post by 3Di » Sat Oct 19, 2019 1:15 am

Please PM me only to request paid works. Thx.
Want to compensate me for my interest? Donate
My development's activity º PhpStorm's proud user
Extensions, Scripts, MOD porting, Update/Upgrades
✒️ Black Friday 2019 @ The Studio ▪️◾️

User avatar
Gumboots
Registered User
Posts: 210
Joined: Fri Oct 11, 2019 1:59 am

Re: Limit avatar image types

Post by Gumboots » Sat Oct 19, 2019 1:55 am

If you're really paranoid, I know gif can carry a payload too. Even a blank 1px gif. I'm wouldn't be surprised if it can be done with any image format, but I expect that phpBB will sanitise avatars anyway.

User avatar
EA117
Registered User
Posts: 1159
Joined: Wed Aug 15, 2018 3:23 am
Contact:

Re: Limit avatar image types

Post by EA117 » Sat Oct 19, 2019 4:46 am

Also keeping in mind that "the extension on the file" is not the same thing as "the content in the file." But it is at least something. Good to know where you could limit or expand the list of extensions, regardless.

Like Gumboots indicated, if "can have" malicious code is the threshold, then there isn't any format currently in that list which is immune.

User avatar
Mick
Support Team Member
Support Team Member
Posts: 21724
Joined: Fri Aug 29, 2008 9:49 am
Location: Cardiff

Re: Limit avatar image types

Post by Mick » Sat Oct 19, 2019 9:30 am

John connor wrote:
Fri Oct 18, 2019 10:59 pm
I know a png can be laced with a malicious payload and I'd rather limit that extension. tif and tga might also be vulnerable
It’s possible for ANY image file to be ‘infected’ or ‘programmed’ with malware. Stopping PNG’s alone is only a small part of it.
"The more connected we get the more alone we become" - Kyle Broflovski

User avatar
canonknipser
Registered User
Posts: 2096
Joined: Thu Sep 08, 2011 4:16 am
Location: Germany
Name: Frank Jakobs
Contact:

Re: Limit avatar image types

Post by canonknipser » Sat Oct 19, 2019 1:29 pm

Mick wrote:
Sat Oct 19, 2019 9:30 am
Stopping PNG’s alone is only a small part of it.
yes, it's true not only for images, but for nearly any file format. So, to keep you board free of injection through resources not controlled by yourself, you should
  • disable attachments
  • disable [img]-tags
  • disable external linking
  • disable posting (someone can tell people to visit a certain web site which injects visitor's local devices or write down a malicious shell script and tell others to execute it on their local machine)
  • and finally disable your board - internet is a high risky environment , so nobody should visit it.
Greetings, Frank
phpbb.de support team member
English is not my native language - no support via PM or mail
New arrival - Extensions and scripts for phpBB

User avatar
John connor
Registered User
Posts: 2331
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Name: Aaron
Contact:

Re: Limit avatar image types

Post by John connor » Sun Oct 20, 2019 8:05 am

Gumboots wrote:
Sat Oct 19, 2019 1:55 am
If you're really paranoid, I know gif can carry a payload too. Even a blank 1px gif. I'm wouldn't be surprised if it can be done with any image format, but I expect that phpBB will sanitise avatars anyway.
I don't understand. All I found on malicious gifs was this: https://giphy.com/explore/malicious-payload :lol:

No, I read this: https://www.opswat.com/blog/hacking-pic ... ow-stop-it


I guess I'll just leave it at be. No sense in changing it. I can use a script that will scan all uploads for viruses. But I need an extension created that will allow it to be used due to Ajax. The script is here: https://github.com/phpMussel/phpMussel

Question: Does phpBB's MIME sniff ability help prevent this sort of thing with the correct MIME type?

User avatar
Marc
Development Team Leader
Development Team Leader
Posts: 5414
Joined: Tue Oct 30, 2007 10:57 pm
Location: Munich, Germany
Name: Marc
Contact:

Re: Limit avatar image types

Post by Marc » Thu Oct 24, 2019 7:43 pm

If you read that post then you should have come to the conclusion that while images can carry additional data, one would have to be able to inject something like a script tag or have the server execute that additional data somehow. I don't see this applying to phpBB.

The MIME type IMHO has nothing to do with what is being explained in this.

User avatar
John connor
Registered User
Posts: 2331
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Name: Aaron
Contact:

Re: Limit avatar image types

Post by John connor » Sat Oct 26, 2019 10:39 am

So the payload can't be executed in the browser?

User avatar
Gumboots
Registered User
Posts: 210
Joined: Fri Oct 11, 2019 1:59 am

Re: Limit avatar image types

Post by Gumboots » Sun Oct 27, 2019 1:22 am

Such things have been done in the past, but they have been well-known hacks for years and everyone has implemented safeguards against them. But obviously there is no such thing as 100% certainty, because there is no way of knowing about vulnerabilities that haven't been found yet, so if you are genuinely concerned about it you will have to block all images. Personally I'd take my chances.

Post Reply

Return to “Extension Requests”