Why won't images display in my sig?

What do you want to see here? Some more categories, forums, and mods? Hmm...
ishAdmin
Match Winner
Posts: 625
Joined: Sun Jul 04, 2004 12:11 am
Contact:

Post by ishAdmin »

Tank Program wrote:I found some threads on the phpbb forums...
http://www.phpbb.com/phpBB/viewtopic.php?t=248343
http://www.phpbb.com/phpBB/viewtopic.php?t=255178
As you can see this is potentially quite a security threat... So, I'm working on thinking up a way that allows dynamically created images.
Well, I've read that thread, and what they've done doesn't really solve the issue. With my redirect to my image on my server, I could just as easily redirect to the logout command. The security should be put at the receiving end. It should check where that logout request came from. And perhaps have a confirm before deleting or whatever. Or include some hidden post values or SOMETHING.

It's like they are trying to lock everyone in their own house in case one of them is a burgler. Lock up the valueables! Nevermind who the burgler is.
Image
User avatar
Tank Program
Forum & Project Admin, PhD
Posts: 6711
Joined: Thu Dec 18, 2003 7:03 pm

Post by Tank Program »

I'm aware they didn't solve it either, so I'm still working on it...
Image
ishAdmin
Match Winner
Posts: 625
Joined: Sun Jul 04, 2004 12:11 am
Contact:

Post by ishAdmin »

Tank Program wrote:not exactly an ideal solution tho ish...
I'm not sure what you were referring to Tank.
Image
User avatar
Tank Program
Forum & Project Admin, PhD
Posts: 6711
Joined: Thu Dec 18, 2003 7:03 pm

Post by Tank Program »

The sym linking shifting things around with apache in order to make it work.
Image
ishAdmin
Match Winner
Posts: 625
Joined: Sun Jul 04, 2004 12:11 am
Contact:

Post by ishAdmin »

yeah, i c

If your interest is in protecting your forum, you can certainly trust luci and myself. But it's true every phpbb forum is still vulnerable to that problem. They didn't fix it at all actually, and it surprises me they seem to think they did. I probably wouldn't mention this in their forum until you have a fix figured out.

The powerful functions need to be locked up better. It's as simple as that.
Image
User avatar
Tank Program
Forum & Project Admin, PhD
Posts: 6711
Joined: Thu Dec 18, 2003 7:03 pm

Post by Tank Program »

It comes down to having anything in an <img> tag makes the browser fetch whatever is there, and if that happens to be a php page pretending to be you doing stuff, you're screwed. So technically it could be a problem with the browser too :o. I'll try to come up with a way that it checks the url in the [img] tag for being an ok one/not ok one and then do something based on that. Or, er, something like that...
Image
ishAdmin
Match Winner
Posts: 625
Joined: Sun Jul 04, 2004 12:11 am
Contact:

Post by ishAdmin »

It's easy enough to get the image with a file_get_contents.php, and then examine it, and echo it out (with your own mime headers) if it's good. If phpbb reads the bbcode on every page it displays and converts it to html on the fly, then maybe this could work out.

You even build a simple cache system with that. Just save a local copy and if it's less than 10 minutes (or whatever) old, you just echo the local copy. Otherwise you fetch a new one and save it first. Figuring out a suitable local naming scheme would be interesting. You could probably just strip slashes etc. and make that the file name.

Do you think something like that would serve the purpose?

And oh yeah, you'd have to do this for every single external image file using the bbcode. It could mean a lot of images into and back out of your server. Extra bandwidth for you, but peace of mind. The caching would help reduce the traffic.
Image
ishAdmin
Match Winner
Posts: 625
Joined: Sun Jul 04, 2004 12:11 am
Contact:

Post by ishAdmin »

ok, I've thought this through a little more. If you can find where the bbcode converts to html, all you need to is change it slightly.

If it makes this:

<img src="http://armagetron.imagenook.com/stats.php?p=ishAdmin" etc.

you change it to make this:

<img src="imageloader.php?url=http://armagetron.imagenook.com/stats.php&p=ishAdmin" etc.

You need to change any ? to & in the url provided, as you are going to have your own at the beginning, and it will go bonk otherwise.

imageloader.php then will take the url argument, and any other get variables that are passed, and rebuilds the url. Each argument will be in the $_GET variables. (You can foreach through them all without knowing what they will be in advance).

Now with the url rebuilt, it file_get_contents it, checks whatever (or not), and echo's a mime type and the image contents.

done.

You can then add caching to imageloader.php and whatever extra dodads you might want.

I'll code version one of the image loader if you want. It's the easier job for me, since I know nothing at all about phpbb. You get the fun job of finding the bbcode conversion process.
Image
User avatar
Tank Program
Forum & Project Admin, PhD
Posts: 6711
Joined: Thu Dec 18, 2003 7:03 pm

Post by Tank Program »

Yeah, something like that is what I am/was thinking about. I'm not sure about the extra bandwith usage tho, I mean right now it's fine, but in the future...
Image
User avatar
Lucifer
Project Developer
Posts: 8640
Joined: Sun Aug 15, 2004 3:32 pm
Location: Republic of Texas
Contact:

Post by Lucifer »

I think those guys are all smoking crack. I can see the danger since a redirect doesn't reset the browser's referrer, so you can't actually check why the browser is requesting it. And I can see the part about "just wait for a moderator to read the thread with the fake image redirect".

The problem I'm seeing is that it doesn't take *anything* to setup a server. Look how quickly ish worked around the problem? (I would've beat him to it if I weren't so busy) Now both ish and I can take over any phpBB, right?

It seems to me the way to fix it is to make regular backups (you do, right, tank? ;) ), and if it becomes a problem disable the feature so that the image is linked instead. Checking the file extension in a world that's run by mod_rewrite is a worthless check and only inconveniences the legitimate users of this feature without actually stopping anybody from attacking you.

I realize I"m preaching to the choir, but it's been awhile since I"ve seen such a collection of obviously-talented people miss something that looks so obvious to me. That probably means I missed something, eh?
Image

Be the devil's own, Lucifer's my name.
- Iron Maiden
ishAdmin
Match Winner
Posts: 625
Joined: Sun Jul 04, 2004 12:11 am
Contact:

Post by ishAdmin »

Tank Program wrote:Yeah, something like that is what I am/was thinking about. I'm not sure about the extra bandwith usage tho, I mean right now it's fine, but in the future...
With a simple cache, the bandwidth won't be that much of a concern. You could set the limit to hourly even. But by having it at 5 or 10 minutes will mean each individual image is brought to your server only once in that time. It almost cuts the bandwidth used in half. But you will still be serving out those images, instead of letting the remote servers use their bandwidth. I'm thinking now of the armagetron screen captures. They are larger.

I think the *right* thing to do is to lock up the dangerous functions and make them secure. Even simple stuff like an "are you sure you want to do that" button, with extra security on it. If you don't make them secure, someone will find a way in.

And phpbb isn't the only thing that can fall victim to this technique. If your website let's someone display a remote image on it, it's vulnerable. What do mamboserver, wordpress, monotype, etc. etc. etc. do about it?
Image
User avatar
Lucifer
Project Developer
Posts: 8640
Joined: Sun Aug 15, 2004 3:32 pm
Location: Republic of Texas
Contact:

Post by Lucifer »

ishAdmin wrote: And phpbb isn't the only thing that can fall victim to this technique. If your website let's someone display a remote image on it, it's vulnerable. What do mamboserver, wordpress, monotype, etc. etc. etc. do about it?
All the Mambo components I've seen that let you do offsite linking have a feature to disable it. So that's how they handle it. :)

One way to handle it, which I've seen used in osCommerce (although they may not have been trying to deal with this specifically) is to put a sessionID or other unique number in the URL for every page, and if a page is requested without that number, ignore the request. Then don't send that when you link to the offsite image and the remote attacker doesn't have it. Since it's needed for phpBB to authenticate you as a user, phpBB ignores the attack.

You also have to disable this for crawlers or else you'll find your site being penalized in search engines for a variety of reasons that don't actually apply to you. But when you disable this you also only allow a certain very limited set of access to the program.
Image

Be the devil's own, Lucifer's my name.
- Iron Maiden
User avatar
dlh
Formerly That OS X Guy
Posts: 2035
Joined: Fri Jan 02, 2004 12:05 am
Contact:

Post by dlh »

I know everyone is busy and all, but are there any updates on this? Thanks :wink:
User avatar
Lucifer
Project Developer
Posts: 8640
Joined: Sun Aug 15, 2004 3:32 pm
Location: Republic of Texas
Contact:

Post by Lucifer »

nemostultae wrote:I know everyone is busy and all, but are there any updates on this? Thanks :wink:
I've done some preliminary work getting more configuration driectives in your mambo profile, but otherwise, I've been sooooo covered with work and school, you know?
Image

Be the devil's own, Lucifer's my name.
- Iron Maiden
User avatar
Tank Program
Forum & Project Admin, PhD
Posts: 6711
Joined: Thu Dec 18, 2003 7:03 pm

Post by Tank Program »

I'm still thinking about it...
Image
Post Reply