RE: phpBB 2.0.17 remote avatar size bug

["Paul" <pvnick () gmail com>]

I agree. This is not a security issue. If you can get that same image to
install a virus on the server, then make a deal out of it. Until then, don't
waste our time.

Paul
Greyhats Security
http://greyhatsecurity.org


-----Original Message-----
From: full-disclosure-bounces () lists grok org uk
[mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Brian
Dessent
Sent: Tuesday, September 20, 2005 4:12 PM
To: full-disclosure () lists grok org uk
Subject: Re: [Full-disclosure] phpBB 2.0.17 remote avatar size bug

SmOk3 wrote:

> I don't want to criticize the phpBB coders, but why is it dificult to
> check out the size
> of a image and telling the user that that size of image it's not
> possible, or even block the
> size on the viewtopic table, something like that.

Having phpbb check the image size would add no security whatsoever.  The
malicious user could place the image on a server that uses mod_rewrite
or PHP (or whatever...) to send a nice 100 x 75 image of a kitty cat
when the phpbb server requests the image, and a 4000x3000 gaping goatse
to everyone else.  There is absolutely no way for phpbb to be able to
enforce the size of images hosted on remote machines.  All it can do is
specify the width and height attributes of the IMG tag when it displays
the image.

Brian
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/