Re: Cant display images in the same way?
Yeah, im runnign the rewrite URL module
-Chris | Garage takai - Breaking cars since 1998
Sparky - AE86 IPRA Racer | RZN149 Hilux - Parts and Car Hauler
I never saw a wild thing sorry for itself. A small bird will drop frozen dead from a bough without ever having felt sorry for itself. - D.H.Lawrence
Re: Cant display images in the same way?
Hmm, i wonder what security issues there are.Originally Posted by Nark
There cant be any to the forum itself as its just passing a HTML image tag.
I cant think of anything that would effect a user of the forums either... i have never seen any complaints in forums that do have it turned on (did you guys get any from the old forum?).
Re: Cant display images in the same way?
I doubt that the security issues would be to the forum software unless there was some buffer overflow exploit.
The main issue is with the forum users. People can put links in that can take advantage of holes in the browser that could possibly run malicious code on the user's computer.
Not saying that it would happen, but it could happen.
Max
NB8B MX-5 | Fulcrum-tuned Tein SS coilovers | Weldwell Engineering 4 point Rollbar | DBA 4000 slotted rotors | Goodridge braided lines
MY11 Skoda Octavia RS wagon | 2x ISOFIX seats | Iggle Piggle's blanket | Some breast milk stains
Re: Cant display images in the same way?
I cant see how that is any different than just a static image/file though.
After all a dynamic URL is just data that can change over time, it has nothing to do with its content.
For example, the forums would allow this because its not dynamic:
(i used imga instead of img above otherwise the tags dont show)Code:[imga]http://virus.com/thisisbad.exe[/imga]
In the end its up to the web browser to decide whats ok and whats not.
Re: Cant display images in the same way?
But what if the PHP file produced code that utilised a flaw in the browser's/OS's image rendering functionality.
Such as the WMF code execution vulnerability that's currently on the High Risk list?
It's not the first time there's been a hole in a graphics rendering engine.
Having said all this, I do agree that not enabling that option is being a bit paranoid.
Max
NB8B MX-5 | Fulcrum-tuned Tein SS coilovers | Weldwell Engineering 4 point Rollbar | DBA 4000 slotted rotors | Goodridge braided lines
MY11 Skoda Octavia RS wagon | 2x ISOFIX seats | Iggle Piggle's blanket | Some breast milk stains
Re: Cant display images in the same way?
Thats true, but my point is its no different than having a static link to a image with that problem.
GoodHaving said all this, I do agree that not enabling that option is being a bit paranoid.
Would be nice to put my 1UZ RA28 project thread up in these new forums.
Re: Cant display images in the same way?
Any news on this?
Daily: Toyota '05 Rav4 Sport
Projects: Celica GT4 ST185 (5S-GTE), Celica RA28 Celica (1UZ-FE)
Previous: Corona RT104, Starlet GT Turbo
Classic Celica Club of South Australia
Re: Cant display images in the same way?
Testing again...
[edit]
Ok, still doesnt work.
Can you guys please fix this!
It is NOT a security issue.
Daily: Toyota '05 Rav4 Sport
Projects: Celica GT4 ST185 (5S-GTE), Celica RA28 Celica (1UZ-FE)
Previous: Corona RT104, Starlet GT Turbo
Classic Celica Club of South Australia
Re: Cant display images in the same way?
Hm, i wonder if this works.Testing again...
Edit: obviously not.
MWP: does Agg have dynamic naming (mod_rewrite) turned on?
-Chris | Garage takai - Breaking cars since 1998
Sparky - AE86 IPRA Racer | RZN149 Hilux - Parts and Car Hauler
I never saw a wild thing sorry for itself. A small bird will drop frozen dead from a bough without ever having felt sorry for itself. - D.H.Lawrence
Posting Permissions
Reply With Quote
Bookmarks