FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » FUDforum Development » Bug Reports » [img] - PHP injection??!!
Show: Today's Messages :: Polls :: Message Navigator
Switch to threaded view of this topic Create a new topic Submit Reply
[img] - PHP injection??!! [message #22331] Fri, 28 January 2005 15:17 Go to next message
ggray is currently offline  ggray   Ukraine
Messages: 96
Registered: October 2004
Location: Crimea: Simferopol
Karma: 0
Member

IMHO we need additional filter for use in [img] tags.
because now we can do PHP injection:
http://ggray.org.ua/test2.php
Re: [img] - PHP injection??!! [message #22332 is a reply to message #22331] Fri, 28 January 2005 16:13 Go to previous messageGo to next message
JamesS is currently offline  JamesS   United States
Messages: 275
Registered: July 2002
Location: Atlanta, GA
Karma: 0
Senior Member
Whew! By your topic I thought that you could insert PHP code in the img tag and it would execute on the server hosting the forum. What you have done is harmless as far as I can tell because the remote server's PHP can't access anything on the forum server.

Plus, there are many places out there that send images to the browser via PHP for various reasons.

[Updated on: Fri, 28 January 2005 16:14]

Report message to a moderator

Re: [img] - PHP injection??!! [message #22333 is a reply to message #22332] Fri, 28 January 2005 16:29 Go to previous messageGo to next message
ggray is currently offline  ggray   Ukraine
Messages: 96
Registered: October 2004
Location: Crimea: Simferopol
Karma: 0
Member

I am agree, it's not serious, but using this issue we can do such things like tracking user activity and so on.

yes we can use mod_rewrite to hide file extension, but this to difficult for "hackers beginners", especially the not have all-controled web-servers.

sorry for my English.

[Updated on: Fri, 28 January 2005 16:31]

Report message to a moderator

Re: [img] - PHP injection??!! [message #22336 is a reply to message #22333] Fri, 28 January 2005 16:42 Go to previous messageGo to next message
Ilia is currently offline  Ilia   Canada
Messages: 13241
Registered: January 2002
Karma: 0
Senior Member
Administrator
Core Developer
You can disallow [img] tag if you are concerned about this issue. No amount of validation is going to secure remote images, since you can make the remote server do whatever it wants with the request. And allowing local image links only is pretty pointless functionality.

FUDforum Core Developer
Re: [img] - PHP injection??!! [message #22339 is a reply to message #22336] Fri, 28 January 2005 17:19 Go to previous messageGo to next message
ggray is currently offline  ggray   Ukraine
Messages: 96
Registered: October 2004
Location: Crimea: Simferopol
Karma: 0
Member

yes, but I'm think additional filter for image extensions is more suitable.
Re: [img] - PHP injection??!! [message #22341 is a reply to message #22339] Fri, 28 January 2005 17:23 Go to previous messageGo to next message
Ilia is currently offline  Ilia   Canada
Messages: 13241
Registered: January 2002
Karma: 0
Senior Member
Administrator
Core Developer
Checking image extensions is pointless, because there are MANY simple ways to bypass it:

1) Make server think of all .jpg,.gif requests as scripting files passed to PHP.

2) Redirect requests for .jpg to scripting language.

3) Even if during message posting the URL was validated as valid image, there is nothing to stop the user from going to their server and changing the content of the image after it has been validated.

As long as [img] tag is enabled it is ultimately up to the remote server what sort of image data is returned.


FUDforum Core Developer
Re: [img] - PHP injection??!! [message #22342 is a reply to message #22341] Fri, 28 January 2005 17:35 Go to previous message
ggray is currently offline  ggray   Ukraine
Messages: 96
Registered: October 2004
Location: Crimea: Simferopol
Karma: 0
Member

ok, keep this code untouched Twisted Evil Very Happy
  Switch to threaded view of this topic Create a new topic Submit Reply
Previous Topic: Unknown table 'fud26_fl_' when deleting forums
Next Topic: Customer complaint
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Thu Nov 28 16:17:29 GMT 2024

Total time taken to generate the page: 1.68672 seconds