FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » FUDforum » FUDforum Suggestions » Avatars and URL control
Show: Today's Messages :: Unread Messages :: Show Polls :: Message Navigator
| Subscribe to topic | Bookmark topic 
Switch to threaded view of this topic Create a new topic Submit Reply
Avatars and URL control [message #35857] Sat, 17 February 2007 12:07 Go to next message
Marticus   United States
Messages: 272
Registered: June 2002
Karma: 1
Senior Member
add to buddy list
ignore all messages by this user
Hey! Long time no post. I have a new question regarding the security of a new site I am building. How difficult would it be to add an option to allow URL avatars while prohibiting URLs from outside the domain? I have two sub domains, the forums on one, and an avatar generator on another. The rest is self explanitory. Thanks!

Marticus
Re: Avatars and URL control [message #35860 is a reply to message #35857] Sat, 17 February 2007 13:23 Go to previous messageGo to next message
Ilia is currently offline  Ilia   Canada
Messages: 13241
Registered: January 2002
Karma: 0
Senior Member
Administrator
Core Developer
add to buddy list
ignore all messages by this user
It leaves too much room for holes IMO, there are no plans to add such functionality into the stock FUDforum.

FUDforum Core Developer
Re: Avatars and URL control [message #35861 is a reply to message #35860] Sat, 17 February 2007 16:02 Go to previous messageGo to next message
Marticus   United States
Messages: 272
Registered: June 2002
Karma: 1
Senior Member
add to buddy list
ignore all messages by this user
Thanks for the reply. If it isn't too much trouble I would like to hear about the holes of which you speak.
Re: Avatars and URL control [message #35868 is a reply to message #35861] Sun, 18 February 2007 11:58 Go to previous message
Ilia is currently offline  Ilia   Canada
Messages: 13241
Registered: January 2002
Karma: 0
Senior Member
Administrator
Core Developer
add to buddy list
ignore all messages by this user
There is possibility of someone injecting XSS onto a trusted domain allowing them to then inject JS code via avatars into forum page potentially leading to session take over.

FUDforum Core Developer
Quick Reply
Formatting Tools:   
  Switch to threaded view of this topic Create a new topic
Previous Topic: Any plans for spam protection?
Next Topic: Update "Upgrade Documentation"
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Tue Oct 24 03:30:45 EDT 2017

Total time taken to generate the page: 0.00712 seconds