Attachments are unsafe ?

Discussion of general topics related to the new version and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Roberdin
Registered User
Posts: 1546
Joined: Wed Apr 09, 2003 8:44 pm
Location: London, United Kingdom

Re: Attachments are unsafe ?

Post by Roberdin »

Javascript is excuted clientside and thus cannot harm the server directly.

Nevertheless, that IFRAME vulnerbility could still cause some problems if someone uploaded a HTML file containing it to your server...
Rob

User avatar
thedrumchannell
Registered User
Posts: 26
Joined: Wed Dec 15, 2004 5:34 am
Location: Phoenix, Arizona
Contact:

Re: Attachments are unsafe ?

Post by thedrumchannell »

Very true about the Javascript running clientside.
"Study to shew thyself approved unto God, a workman that needeth not to be ashamed, rightly dividing the word of truth." 2 Timothy 2:15

Thedrumchannell
Prophecy Talk - World News & Bible Prophecy Information

User avatar
cyberCrank
Registered User
Posts: 560
Joined: Wed Jan 28, 2004 3:38 am
Location: Ethereal Bliss

Re: Attachments are unsafe ?

Post by cyberCrank »

** with the recent PHP exploits, definitely something for us to closely review, scrutinize, and scrub for security holes during beta & RC. Even though a critical update for the iframe vulnerbility was released, could still be problems... **
Last edited by cyberCrank on Wed Dec 29, 2004 4:35 pm, edited 1 time in total.

User avatar
A_Jelly_Doughnut
Registered User
Posts: 1780
Joined: Wed Jun 04, 2003 4:23 pm

Re: Attachments are unsafe ?

Post by A_Jelly_Doughnut »

Javascript is far from harmless. I'm not sure what sort of naughtiness could be done with the current implementations...I haven't looked over the current attachment code, nor would I likely know a problem if I saw it.

Anyway, my point is attachments open a can of worms, but the worms are easily captured and put away. If they weren't, I'm thinking far fewer numbers of BBS would implement them.

Yeah, also what cC said as I was writing this.
A_Jelly_Doughnut

User avatar
cyberCrank
Registered User
Posts: 560
Joined: Wed Jan 28, 2004 3:38 am
Location: Ethereal Bliss

Re: Attachments are unsafe ?

Post by cyberCrank »

AJD wrote:attachments open a can of worms
nice pun :)

/me confesses that an Attachment Feature cause much concern and worry with subliminal exploits and virtual website hosting, even though it is a nice feature for phpBB and useful for many sites; so I (we should) plan to review and scrutinize it thoroughly IMO...

Uchiha Nick
Registered User
Posts: 397
Joined: Tue Jul 20, 2004 6:21 am
Location: Rotterdam, The Netherlands
Contact:

Re: Attachments are unsafe ?

Post by Uchiha Nick »

why not only alow .zip? simply zip it up and load that up. heck, even decompresses space useage
Image

iliasch
Registered User
Posts: 23
Joined: Sun May 11, 2003 3:50 pm
Location: Greece

Re: Attachments are unsafe ?

Post by iliasch »

A file containing PHP code will not be parsed by the PHP interpreter if it does not have the proper extention (.php or the older .php3, .phtml). Last time I checked such extentions are by default banned.

How exactly do you plan to rename a file remotely as a simple user? Unless of course you give your users FTP access.

As for JavaScript, it runs on client-side so it can't do much to the server. In fact JavaScript can only do what you can do with your browser anyway. If for example it tries to access your config.php, the httpd will first parse the PHP code and then return the result to JavaScript (null). I'm no JavaScript expert (yet ;) ), but I would bet it's pretty safe.

After all, attachments exist in phpBB 2.0.x for some time (as a MOD) and there haven't been any issues. Why are you worried now?

Nullius
Registered User
Posts: 80
Joined: Mon May 24, 2004 4:16 pm
Location: Belgium
Contact:

Re: Attachments are unsafe ?

Post by Nullius »

I'm not worried at all ... I just had my doubts about it ;)
Actually I wrote my own upload script some months ago and I'm still not using it because of security reasons, even though mine is a bit more secure than the phpBB-feature (I think).
I'm planning to use it in the future, but just never had the chance so far :)

I noticed that phpBB doesn't check if the file is actually what it is supposed to be.
It's a simple (but also NOT waterproof) script that checks if the mimetype of the file matches the mimetype of the extension (like image/gif for a gif-image and plain/text for .txt or something).
This way if a user has renamed his txt-file into .jpg ... it would give an error.

I didn't want to say this at first because the board is ofcourse still in cvs, but what the heck ... maybe they'll read my message and change it :D

So, I just think we shouldn't worry, but we MUST keep our eyes open for security bugs on this matter ;)
Greetzzz,
Nullius

User avatar
Dranor
Registered User
Posts: 8
Joined: Thu Feb 07, 2002 9:42 pm
Location: Valencia (Spain)
Contact:

Re: Attachments are unsafe ?

Post by Dranor »

I don't get the point of that.. are attachments the weapons that will destroy your server and burn it until nothing is left? Then disable them

Nullius
Registered User
Posts: 80
Joined: Mon May 24, 2004 4:16 pm
Location: Belgium
Contact:

Re: Attachments are unsafe ?

Post by Nullius »

I know I can disable them etc.
I just had some questions about the security ... nothing wrong with that, is there ?
Greetzzz,
Nullius

Post Reply