PHP Files As Signatures

Discussion of general topics related to the new version and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
User avatar
stubbers
Registered User
Posts: 406
Joined: Sat Oct 23, 2004 10:36 pm
Location: LoSt
Contact:

PHP Files As Signatures

Post by stubbers »

Gday all,
An interesting topic. I wanted to ask the Dev's if you planned to allow php files to appear as images. This appears to be the case from the current version running on here, however 2.0.XX dosen't allow it.

Was just wondering what the plan is?

Cheers,
Stubbers

ElbertF
Registered User
Posts: 583
Joined: Fri Dec 03, 2004 4:35 pm
Location: tracing..
Contact:

Re: PHP Files As Signatures

Post by ElbertF »

Acyd Burn wrote: I do not want to block dynamic images or scripts at images at all...
;)

Yoda_IRC
Registered User
Posts: 158
Joined: Tue Mar 01, 2005 10:19 pm

Re: PHP Files As Signatures

Post by Yoda_IRC »

there is a crafty workaround. phpBB blocks based on the URL.
e.g:
http://www.example.com/images/mypic.php" target="_blank
and
http://www.example.com/images/mypic.php?file=23" target="_blank

would both be blocked.

However, you can have a file with extension .jpg, that can be proccessed as a .php file. You can also use Apache's rewrite module to turn something like:
http://www.example.com/dynimages/23/img.jpg" target="_blank into calling
http://www.example.com/script/image.php?file=23" target="_blank or whatever you need.

To phpBB it can't tell the differance, things that happen server-side are pretty invisible.
I can't remember the exact ways to achieve the above, one involves adding a directive to process .jpg as a php file and contains php code directly, the other uses a directive to change an inbound url into a differant one for calling the file.

Read the Apache docs (Note: this may not be possible on inferior webservers such as IIS).

[edit]
To force .jgeg files to be processed as php you could try:

Code: Select all

AddType application/x-httpd-php .jpeg
you probably want to use .htaccess or apply it to a specific folder so it won't screw up all your .jpegs

Docs for rewrite can be found at: http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html" target="_blank

APTX
Registered User
Posts: 680
Joined: Thu Apr 24, 2003 12:07 pm

Re: PHP Files As Signatures

Post by APTX »

You can just call you script like this:

Code: Select all

http://www.mydomain.tld/script.php/signature.png
Don't give me my freedom out of pity!

User avatar
Acyd Burn
Posts: 1838
Joined: Tue Oct 08, 2002 5:18 pm
Location: Behind You
Contact:

Re: PHP Files As Signatures

Post by Acyd Burn »

indeed. The only thing which is prevented is linking to php files within the domain and script path of the phpBB installation. This is not a full protection against those idiots trying to "log you out", but it is a precaution since it makes no sense to link to those files. There are additional checks made and the logout most likely will see a SID requirement.

Image

Cap'n Refsmmat
Registered User
Posts: 219
Joined: Tue Jan 25, 2005 11:31 pm

Re: PHP Files As Signatures

Post by Cap'n Refsmmat »

What happens if someone makes an "image" that is actually a redirect that sends the browser to the "lock thread" page or something? Would a browser accept a redirect for an image like that?

Yoda_IRC
Registered User
Posts: 158
Joined: Tue Mar 01, 2005 10:19 pm

Re: PHP Files As Signatures

Post by Yoda_IRC »

yes it would accept it, normally.

It is also possible for someone o put an image on their own site to achieve the same affect.

Thats why forms need to be checked when submitted. If a form uses POST for instance it isn't subject to the image problem as that uses a GET request. Another check is to match the referer to ensure the user clicked something on your page. There are also other techniques such as adding toekns into forms and checking for a correct token when processing the form. I haven't yet checked phpBB's protection against XSS threats etc. I have read bits of the source, just nt thoose bits. (I like the witty comments in some of the comments like:

Code: Select all

Here we do a bot check, oh er saucy! No, not that kind of bot
check.
You can find out what file its in on your own ;)

User avatar
jojobarjo32
Registered User
Posts: 164
Joined: Wed Jun 22, 2005 7:38 pm
Location: France

Re: PHP Files As Signatures

Post by jojobarjo32 »

Acyd Burn wrote: indeed. The only thing which is prevented is linking to php files within the domain and script path of the phpBB installation. This is not a full protection against those idiots trying to "log you out", but it is a precaution since it makes no sense to link to those files. There are additional checks made and the logout most likely will see a SID requirement.
I see that you use the getimagesize() function within the bbcode first pass. This function returning false (and an E_WARNING error) if the file specified is not an image, doesn't a simple check on this return value prove that the file is an image or not ?
BTW, I'm not sure that your two checks on the image size will work very well if the file is not an image... :? (but it's not the subject here :))

Yoda_IRC
Registered User
Posts: 158
Joined: Tue Mar 01, 2005 10:19 pm

Re: PHP Files As Signatures

Post by Yoda_IRC »

Does phpBB request the file from a remote source when its used in an image link?

Anyway there are ways to avoid this kind of check, I had an interesting disscussion with a few people about it during the WMF problem with windows. I won't go off topic and mention many of the clever ways of breaking such a system but needless to say it will not provide you perfect security. And it still won't help you if other sites are holding the image file.

ElbertF
Registered User
Posts: 583
Joined: Fri Dec 03, 2004 4:35 pm
Location: tracing..
Contact:

Re: PHP Files As Signatures

Post by ElbertF »

APTX wrote: You can just call you script like this:

Code: Select all

http://www.mydomain.tld/script.php/signature.png
That even works on 2.0.x, I didn't know that :)

Post Reply