Full Disclosure mailing list archives
RE: phpBB 2.0.17 remote avatar size bug
From: "Paul" <pvnick () gmail com>
Date: Tue, 20 Sep 2005 18:39:41 -0400
I agree. This is not a security issue. If you can get that same image to install a virus on the server, then make a deal out of it. Until then, don't waste our time. Paul Greyhats Security http://greyhatsecurity.org -----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Brian Dessent Sent: Tuesday, September 20, 2005 4:12 PM To: full-disclosure () lists grok org uk Subject: Re: [Full-disclosure] phpBB 2.0.17 remote avatar size bug SmOk3 wrote:
I don't want to criticize the phpBB coders, but why is it dificult to check out the size of a image and telling the user that that size of image it's not possible, or even block the size on the viewtopic table, something like that.
Having phpbb check the image size would add no security whatsoever. The malicious user could place the image on a server that uses mod_rewrite or PHP (or whatever...) to send a nice 100 x 75 image of a kitty cat when the phpbb server requests the image, and a 4000x3000 gaping goatse to everyone else. There is absolutely no way for phpbb to be able to enforce the size of images hosted on remote machines. All it can do is specify the width and height attributes of the IMG tag when it displays the image. Brian _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- phpBB 2.0.17 remote avatar size bug SmOk3 (Sep 20)
- Re: phpBB 2.0.17 remote avatar size bug Brian Dessent (Sep 20)
- RE: phpBB 2.0.17 remote avatar size bug Paul (Sep 20)
- Re: phpBB 2.0.17 remote avatar size bug Brian Dessent (Sep 20)