Dynamic Images ?

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
Locked
mrdicb
Registered User
Posts: 7
Joined: Sat Jan 08, 2005 9:23 pm

Dynamic Images ?

Post by mrdicb »

Is there a mod available that allows users to post dymamic images, as in:

Code: Select all

[img]http://domain.com/image.php?id=1234[/img]
a specific example woule be:
Image
CLee
Registered User
Posts: 511
Joined: Fri Nov 23, 2001 2:42 pm

Post by CLee »

image links to a script was removed as they pose a rather serious XSS security threat.
Carlos Myers
A+, Network+
Member - Star Wars Roleplaying Club
espicom
Registered User
Posts: 17905
Joined: Wed Dec 22, 2004 1:14 am
Location: Woodstock, IL

Post by espicom »

Expanding on Carlos' statement, everything in PHPBB that allows a dynamic "whatever" is posted on sites like SecurityFocus as a vulnerability. Allow HTML, and you get reported for not properly "cleaning" the HTML of bad things like Javascript. Allow generated images, and you written up for Cross-site scripting (XSS) vulnerabilities. You see the trend.

Because Internet Explorer has so many things that can cause it to do bad things to the user's computer, anything dynamic is going to have to be considered a security problem. I've already seen one report that says that the fact that PHPBB doesn't verify that a posted image link really is an image, instead of a "stealth" script, it's a security problem. THAT is a ridiculous claim, in my opinion!
Jeff
Fixing 1016/1030/1034 Errors | (obsolete link) | MySQL 4.1/5.x Client Error | phpBBv2 Logo in ACP
Support requests via PM are ignored!
"To be fully alive is to feel that everything is possible." - Eric Hoffer
mrdicb
Registered User
Posts: 7
Joined: Sat Jan 08, 2005 9:23 pm

Post by mrdicb »

when you say it is a xss security issue, do you mean to MY system or another site's system?

Sorry if that is a dumb question, but I am installing an image shack syle photo upload script onto my server, and It uses dynamic images, as explained above. Could I make it so it only acceped dynamic images from my own server? (either a sub-domain of my forum or a different domain on the same server)
User avatar
Lumpy Burgertushie
Registered User
Posts: 69223
Joined: Mon May 02, 2005 3:11 am
Contact:

Post by Lumpy Burgertushie »

the problem is, that a php or other type of script can be executed on your server from a sig file. now I dont think you want that. do you?


robert
Premium phpBB 3.3 Styles by PlanetStyles.net

I am pleased to announce that I have completed the first item on my bucket list. I have the bucket.
espicom
Registered User
Posts: 17905
Joined: Wed Dec 22, 2004 1:14 am
Location: Woodstock, IL

Post by espicom »

mrdicb wrote: when you say it is a xss security issue, do you mean to MY system or another site's system?


It's a browser issue, mainly. Let's say I put an "image" link in that is really a script that says, "Do an HTTP post to the PHPBB website with the instructions to delete forum #3 from the website", and someone with admin privileges on your board reads a message with that link in it.

Now imagine the havoc you'd go through trying to recover from that.

That's just one possibility of an XSS vulnerability.
Jeff
Fixing 1016/1030/1034 Errors | (obsolete link) | MySQL 4.1/5.x Client Error | phpBBv2 Logo in ACP
Support requests via PM are ignored!
"To be fully alive is to feel that everything is possible." - Eric Hoffer
mrdicb
Registered User
Posts: 7
Joined: Sat Jan 08, 2005 9:23 pm

Post by mrdicb »

thanks all for your info... looks like I'm going to need another solution.
espicom
Registered User
Posts: 17905
Joined: Wed Dec 22, 2004 1:14 am
Location: Woodstock, IL

Post by espicom »

This subject comes up from time to time, so we see a lot of "what if we ..." type solutions floated. And I've even had people approach me via PM on how to write an appropriate regular expression to allow CERTAIN SERVERS to provide dynamic images, while not allowing "every" server to do so. To the point that I don't even read PMs from some people anymore... I don't have THAT MUCH free time!

One possibility exists for "vetting" images, but it will increase your bandwidth usage. A script could be written to open a remote URL and load its response, check that it is a real image, then send that to the browser. It would basically convert any IMG bbcode tags into calls to this special script, so the result would look kind of like:

Code: Select all

<img src=vette_img.php?http://domain.com/image.php?id=1234>
vette_img.php would connect to the URL, determine the image type (PNG, GIF, JPG), use the PHP GD functions to load the image, optionally resize it to match your specifications, then spit the result out to the browser.

This is the 10-pound sledgehammer approach. 8)
Jeff
Fixing 1016/1030/1034 Errors | (obsolete link) | MySQL 4.1/5.x Client Error | phpBBv2 Logo in ACP
Support requests via PM are ignored!
"To be fully alive is to feel that everything is possible." - Eric Hoffer
User avatar
Lumpy Burgertushie
Registered User
Posts: 69223
Joined: Mon May 02, 2005 3:11 am
Contact:

Post by Lumpy Burgertushie »

and I don't believe it will work in sig files because they are set to not process any link with php and/or ? in it I think.


robert
Premium phpBB 3.3 Styles by PlanetStyles.net

I am pleased to announce that I have completed the first item on my bucket list. I have the bucket.
starfoxtj
Registered User
Posts: 3714
Joined: Tue Jul 29, 2003 2:01 am
Contact:

Post by starfoxtj »

Man I need a bookmark to my sig post...

Here:
http://www.phpbb.com/phpBB/viewtopic.ph ... ht=dynamic

Or:
http://www.phpbb.com/phpBB/viewtopic.ph ... ht=dynamic

You may prefer this code, its more condensed and easier to work with:

Code: Select all

<?php

function randomize( $array )

   {
	
	$array_num = count( $array ) - 1;
	$rand_num = rand( 0, $array_num );

	return $array[$rand_num];

   }

$image= randomize( array(

	"images/cat.jpg",
	"images/dog.jpg",
	"images/superman.jpg",
	"images/coolio.jpg"

	) );

header( "Location: http://domain.com/$image" );


?>
Admin ToolKit v2.1a - An Admins most helpful tool for user management. Now Supports Mass User Deletion!
Change User's: names, passwords, emails, active status and avatar/pm permissions.
Ban/Unban Users, change Post and Resync Counts, and promote/demote users to admin.
Completely independent from your phpbb user account settings. No installation required, just upload one file.
User Upload ToolKit Beta - A quick and easy, 30 second-install, attachment mod. Now Supports Dynamic Thumbnails!
mrdicb
Registered User
Posts: 7
Joined: Sat Jan 08, 2005 9:23 pm

Post by mrdicb »

espicom wrote: This subject comes up from time to time, so we see a lot of "what if we ..." type solutions floated. And I've even had people approach me via PM on how to write an appropriate regular expression to allow CERTAIN SERVERS to provide dynamic images, while not allowing "every" server to do so. To the point that I don't even read PMs from some people anymore... I don't have THAT MUCH free time!

One possibility exists for "vetting" images, but it will increase your bandwidth usage. A script could be written to open a remote URL and load its response, check that it is a real image, then send that to the browser. It would basically convert any IMG bbcode tags into calls to this special script, so the result would look kind of like:

Code: Select all

<img src=vette_img.php?http://domain.com/image.php?id=1234>
vette_img.php would connect to the URL, determine the image type (PNG, GIF, JPG), use the PHP GD functions to load the image, optionally resize it to match your specifications, then spit the result out to the browser.

This is the 10-pound sledgehammer approach. 8)


Great advice, if I can't find any other alternatives I might have to use this, but I hope it will be a last resort.
User avatar
Lumpy Burgertushie
Registered User
Posts: 69223
Joined: Mon May 02, 2005 3:11 am
Contact:

Post by Lumpy Burgertushie »

if you want to unsecure your board, then you will have to do "last resorts"

that is the point, this has been disallowed for security reasons, if you don't care about your boards security, then you will have to undo the code or go in through the back door, etc. etc.


robert
Premium phpBB 3.3 Styles by PlanetStyles.net

I am pleased to announce that I have completed the first item on my bucket list. I have the bucket.
Locked

Return to “2.0.x Support Forum”