PHP Files As Signatures

Discussion of general topics related to the new version and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
User avatar
stubbers
Registered User
Posts: 406
Joined: Sat Oct 23, 2004 10:36 pm
Location: LoSt
Contact:

Re: PHP Files As Signatures

Post by stubbers »

Or if you are the administrator of your board you can just make a tiny change to the bb-code.php under includes

Never written a mod before so this dosen't stick to the conventions

OPEN
includes/bbcode.php

FIND

Code: Select all

$text = preg_replace("#\[img\]((http|ftp|https|ftps)://)([^ \?&=\#\"\n\r\t<]*?(\.(jpg|jpeg|gif|png)))\[/img\]#sie", "'[img:$uid]\\1' . str_replace(' ', '%20', '\\3') . '[/img:$uid]'", $text);
REPLACE WITH

Code: Select all

$text = preg_replace("#\[img\]((http|ftp|https|ftps)://)([^ \?&=\#\"\n\r\t<]*?(\.(jpg|jpeg|gif|png|php)))\[/img\]#sie", "'[img:$uid]\\1' . str_replace(' ', '%20', '\\3') . '[/img:$uid]'", $text);
Sorry if that didn't stick to conventions. You just add whatever filetypes you want to be recognized in the [img] tag. Pretty easy huh... That's what I did with my forums (also please note that this will not take effect until you resubmit posts with php files as image tags, you must force phpbb to re-parse the [img] tag!)

Cheers,
Stubbers

EDIT - Removed BBCODE from within CODE tags (sorry)

Yoda_IRC
Registered User
Posts: 158
Joined: Tue Mar 01, 2005 10:19 pm

Re: PHP Files As Signatures

Post by Yoda_IRC »

There is on key differance to that approach stubbers.

If I have my server interprit a URL thats .jpeg as .php I know this file is likely to be called by a browser using an image tag.

If a board is altered as you suggest it can call any php file in that manor, which may not have been expected by the creator. Although people writing php scripts should include protection for this kind of attack we don't want to make it any easier for people to launch attacks, and I would really not want to expose my sites users to such threats. And even though there are ways to circumvent such a restriction you don't want to make it easy for attacks no do we?

User avatar
stubbers
Registered User
Posts: 406
Joined: Sat Oct 23, 2004 10:36 pm
Location: LoSt
Contact:

Re: PHP Files As Signatures

Post by stubbers »

LOL... A very good point... But still, if you are calling a script what damage can it do to my server...

(Stubbers notes IT admin at school is blocking his site via ISA server, idea's on how to circumvent this are more than welcome)

ElbertF
Registered User
Posts: 583
Joined: Fri Dec 03, 2004 4:35 pm
Location: tracing..
Contact:

Re: PHP Files As Signatures

Post by ElbertF »

It's not really possible to launch an attack through the img tag with PHP. Probably the worst thing you could do is calling the logout link, logging users out on page load (this isn't possible in the latest CVS).

Sebastian R.
Registered User
Posts: 14
Joined: Thu May 25, 2006 6:30 pm

Re: PHP Files As Signatures

Post by Sebastian R. »

Another way to use dynamic signatures is to use the mod_rewrite feature of Apache.

Code: Select all

RewriteEngine On
RewriteRule sig.png sig.php
It's still working. :D

itunes66
Registered User
Posts: 169
Joined: Tue Feb 08, 2005 12:28 am

Re: PHP Files As Signatures

Post by itunes66 »

the user could actually do lots of stuff with dynamic images believe it or not make a self-updating clock or stats using the header() fuction in php i have seen it done, but for the most part dynamic images cant unlease havoc on your forum now if php implemented some function to check if a dynamic image redirects or refreshes then you would be good, but lets not get off topic
2 things i like about you hmm.. ill have to get back to you on that one

Post Reply