Well, I've read that thread, and what they've done doesn't really solve the issue. With my redirect to my image on my server, I could just as easily redirect to the logout command. The security should be put at the receiving end. It should check where that logout request came from. And perhaps have a confirm before deleting or whatever. Or include some hidden post values or SOMETHING.Tank Program wrote:I found some threads on the phpbb forums...
http://www.phpbb.com/phpBB/viewtopic.php?t=248343
http://www.phpbb.com/phpBB/viewtopic.php?t=255178
As you can see this is potentially quite a security threat... So, I'm working on thinking up a way that allows dynamically created images.
It's like they are trying to lock everyone in their own house in case one of them is a burgler. Lock up the valueables! Nevermind who the burgler is.