espicom wrote: Old news. The HTML vulnerability is in Internet Explorer, and it's PHPBB's problem because some people enable HTML. If you're worried about it, disable HTML, like most of us, and the attack won't be able to work. I haven't had HTML enabled on a forum in years. Brute-force password attacks are nothing new, just made easier by the information an IE user can reveal without knowing it.
Of course, I'm not trying to annoy users by enabling FLASH and automatic music, like some users.
espicom wrote: You can not design for problems you do not know about. Internet Explorer has a bug that will allow someone to send it an "image" that is really a program, and compromise it. PHPBB tries to fix that by limiting what can appear in an IMG tag, but it isn't enough - if someone has access to a server, you can build a legal URL that will look like an image file (no script references or other suspicious content), even be verifiable to contain an image when checked, and yet still send a compromise program to a real IE user. How is this PHPBB's fault? How does taking a "corporate attitude" towards the problem fix Internet Explorer?
You can only protect IE users by eliminating any possibility of anyone other than yourself providing content to your site. You can not provide links to external pages or images, especially those that can be provided by others; if it isn't on your server, you don't control it, and you can not protect IE users from it. It's as simple as that.
The problem is that "the world wide web" is all about links, and that's where the security of Internet Explorer falls apart. It's too trusting of content - if I send a file "bob.jpg" to IE, and it's really a executable, IE will execute it, rather than deciding it's a bad JPG file. Oops! Fix PHPBB!
IE has so many flaws that have yet to be discovered (or publicised) that it could be years before everyone "protects" IE users "enough", but Microsoft keeps introducing new flaws, with each new version. Can you tell me what the PHPBB development team will need to change in PHPBB to be ready to protect IE 7 users?
itsonlybarney wrote: i just want clarification. From what I have read you are saying that phPBB has a 'flaw' because it will open an 'image' file that may be an executable program. Is that right? but your also saying that because phpBB is run on a PHP server that the PHP should be able to detect whether the 'image', in a signature or a post, is an executable. From my understanding the signatures in posts and images are generally stored outside the phpBB server and therefore PHP can't determine whether or not the 'image' is really an executable file.
clubchill wrote: lol.. I guess I won this debate, huh?
No counterpoints? hehehe
clubchill wrote: lol.. I guess I won this debate, huh?
No counterpoints? hehehe
"Washington Post reports that another Windows hole has been found and exploit code is now running lose that makes swiss cheese of current patches and security measures. From the article: "Security researchers have released instructions for exploiting a previously unknown security hole in Windows XP and Windows 2003 Web Server with all of the latest patches applied. Anti-virus company Symantec warned of the new exploit, which it said uses a vulnerability in the way Windows computers process certain image files (Windows Meta Files, or those ending in .wmf). Symantec said the exploit is designed to download and run a program from the Web that downloads several malicious files, including tools that attackers could use to control vulnerable computers via IRC.""
Actually it's PHP Hypertext Processor now, and Personal Home Page in the pastclubchill wrote: lol.. thats the whole purpose of server-side scripting, you process the data"Before" its sent to the browser.... hello?
PHP has functions that can verify the reliability of a file, such as in the jpg scenario you mentioned, and if its a bad file then it can be scripted to not even send the file to the browser. Thats the whole point of PHP..... "HTML Processing"