Javascript is excuted clientside and thus cannot harm the server directly.
Nevertheless, that IFRAME vulnerbility could still cause some problems if someone uploaded a HTML file containing it to your server...
Attachments are unsafe ?
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
- thedrumchannell
- Registered User
- Posts: 26
- Joined: Wed Dec 15, 2004 5:34 am
- Location: Phoenix, Arizona
- Contact:
Re: Attachments are unsafe ?
Very true about the Javascript running clientside.
"Study to shew thyself approved unto God, a workman that needeth not to be ashamed, rightly dividing the word of truth." 2 Timothy 2:15
Thedrumchannell
Prophecy Talk - World News & Bible Prophecy Information
Thedrumchannell
Prophecy Talk - World News & Bible Prophecy Information
- cyberCrank
- Registered User
- Posts: 560
- Joined: Wed Jan 28, 2004 3:38 am
- Location: Ethereal Bliss
Re: Attachments are unsafe ?
** with the recent PHP exploits, definitely something for us to closely review, scrutinize, and scrub for security holes during beta & RC. Even though a critical update for the iframe vulnerbility was released, could still be problems... **
Last edited by cyberCrank on Wed Dec 29, 2004 4:35 pm, edited 1 time in total.
- A_Jelly_Doughnut
- Registered User
- Posts: 1780
- Joined: Wed Jun 04, 2003 4:23 pm
Re: Attachments are unsafe ?
Javascript is far from harmless. I'm not sure what sort of naughtiness could be done with the current implementations...I haven't looked over the current attachment code, nor would I likely know a problem if I saw it.
Anyway, my point is attachments open a can of worms, but the worms are easily captured and put away. If they weren't, I'm thinking far fewer numbers of BBS would implement them.
Yeah, also what cC said as I was writing this.
Anyway, my point is attachments open a can of worms, but the worms are easily captured and put away. If they weren't, I'm thinking far fewer numbers of BBS would implement them.
Yeah, also what cC said as I was writing this.
A_Jelly_Doughnut
- cyberCrank
- Registered User
- Posts: 560
- Joined: Wed Jan 28, 2004 3:38 am
- Location: Ethereal Bliss
Re: Attachments are unsafe ?
nice punAJD wrote:attachments open a can of worms
/me confesses that an Attachment Feature cause much concern and worry with subliminal exploits and virtual website hosting, even though it is a nice feature for phpBB and useful for many sites; so I (we should) plan to review and scrutinize it thoroughly IMO...
-
- Registered User
- Posts: 397
- Joined: Tue Jul 20, 2004 6:21 am
- Location: Rotterdam, The Netherlands
- Contact:
Re: Attachments are unsafe ?
why not only alow .zip? simply zip it up and load that up. heck, even decompresses space useage
Re: Attachments are unsafe ?
A file containing PHP code will not be parsed by the PHP interpreter if it does not have the proper extention (.php or the older .php3, .phtml). Last time I checked such extentions are by default banned.
How exactly do you plan to rename a file remotely as a simple user? Unless of course you give your users FTP access.
As for JavaScript, it runs on client-side so it can't do much to the server. In fact JavaScript can only do what you can do with your browser anyway. If for example it tries to access your config.php, the httpd will first parse the PHP code and then return the result to JavaScript (null). I'm no JavaScript expert (yet ), but I would bet it's pretty safe.
After all, attachments exist in phpBB 2.0.x for some time (as a MOD) and there haven't been any issues. Why are you worried now?
How exactly do you plan to rename a file remotely as a simple user? Unless of course you give your users FTP access.
As for JavaScript, it runs on client-side so it can't do much to the server. In fact JavaScript can only do what you can do with your browser anyway. If for example it tries to access your config.php, the httpd will first parse the PHP code and then return the result to JavaScript (null). I'm no JavaScript expert (yet ), but I would bet it's pretty safe.
After all, attachments exist in phpBB 2.0.x for some time (as a MOD) and there haven't been any issues. Why are you worried now?
Re: Attachments are unsafe ?
I'm not worried at all ... I just had my doubts about it
Actually I wrote my own upload script some months ago and I'm still not using it because of security reasons, even though mine is a bit more secure than the phpBB-feature (I think).
I'm planning to use it in the future, but just never had the chance so far
I noticed that phpBB doesn't check if the file is actually what it is supposed to be.
It's a simple (but also NOT waterproof) script that checks if the mimetype of the file matches the mimetype of the extension (like image/gif for a gif-image and plain/text for .txt or something).
This way if a user has renamed his txt-file into .jpg ... it would give an error.
I didn't want to say this at first because the board is ofcourse still in cvs, but what the heck ... maybe they'll read my message and change it
So, I just think we shouldn't worry, but we MUST keep our eyes open for security bugs on this matter
Actually I wrote my own upload script some months ago and I'm still not using it because of security reasons, even though mine is a bit more secure than the phpBB-feature (I think).
I'm planning to use it in the future, but just never had the chance so far
I noticed that phpBB doesn't check if the file is actually what it is supposed to be.
It's a simple (but also NOT waterproof) script that checks if the mimetype of the file matches the mimetype of the extension (like image/gif for a gif-image and plain/text for .txt or something).
This way if a user has renamed his txt-file into .jpg ... it would give an error.
I didn't want to say this at first because the board is ofcourse still in cvs, but what the heck ... maybe they'll read my message and change it
So, I just think we shouldn't worry, but we MUST keep our eyes open for security bugs on this matter
Greetzzz,
Nullius
Nullius
- Dranor
- Registered User
- Posts: 8
- Joined: Thu Feb 07, 2002 9:42 pm
- Location: Valencia (Spain)
- Contact:
Re: Attachments are unsafe ?
I don't get the point of that.. are attachments the weapons that will destroy your server and burn it until nothing is left? Then disable them
Re: Attachments are unsafe ?
I know I can disable them etc.
I just had some questions about the security ... nothing wrong with that, is there ?
I just had some questions about the security ... nothing wrong with that, is there ?
Greetzzz,
Nullius
Nullius