Topic awaiting preservation: Dynamic Images? (Page 1 of 1) $Pages that link to <a href="https://ozoneasylum.com/backlink?for=12442" title="Pages that link to Topic awaiting preservation: Dynamic Images? (Page 1 of 1)" rel="nofollow" >Topic awaiting preservation: Dynamic Images? <span class="small">(Page 1 of 1)</span>\$

Synthetic Paranoid (IV) Inmate From: under your rug, Insane since: Jul 2001	posted 09-22-2002 11:51 Ok i've been hearing for a while that there is several security risks in allowing dynamic images on forums. some forums don't allow them at all for that reason. I'm having trouble figuring out why? What are the (in any) dangers in that? Like say I wanted to use code: [ IMG ] [url=http://www.site.com/image.php?img.gif]http://www.site.com/image.php?img.gif[/url] [ /IMG ] or something to that general effect to rotate images... is there any danger of someone being able to load a remote script though that or something? if not then what's all the fuss about? Sorry if it seems like a newbie question, but it's been bugging me for a while lol (edit = had to add spaces, darn thing kept trying to parse an image even inside the code tags err.....) [This message has been edited by Synthetic (edited 09-22-2002).]
genis Paranoid (IV) Inmate From: Dallas, TX Insane since: Aug 2002	posted 09-22-2002 23:23 I can't think of anything. If it is in an image tag, and the browser can't register it as one of its recognized formats, it usually just doesn't render it.
sheepnepeople Nervous Wreck (II) Inmate From: Insane since: Oct 2002	posted 10-11-2002 17:56 maybe if they did something like http://www.site.com/image.php?../../etc/passwd I remember a while ago a post had some links to articles explaining how you can prevent things like this happening in php. I think the exploits were more like initializing a variable in the script and that this wouldn't happen if you used local variables instead of global.
InI Paranoid (IV) Mad Scientist From: Somewhere over the rainbow Insane since: Mar 2001	posted 10-11-2002 18:11 The poster has demanded we remove all his contributions, less he takes legal action. We have done so. Now Tyberius Prime expects him to start complaining that we removed his 'free speech' since this message will replace all of his posts, past and future. Don't follow his example - seek real life help first.
Emperor Maniac (V) Mad Scientist with Finglongers From: Cell 53, East Wing Insane since: Jul 2001	posted 10-11-2002 18:59 InI: Alarmism is a good reaction to the slack security of the majority of us These issues have come up before so I started a FAQ on PHP security issues: What are the security problems with using PHP and how can I fix them? ___________________ Emps FAQs: Emperor
Synthetic Paranoid (IV) Inmate From: under your rug, Insane since: Jul 2001	posted 10-17-2002 19:01 thanks guys most informative

Topic awaiting preservation: Dynamic Images? (Page 1 of 1) $Pages that link to <a href="https://ozoneasylum.com/backlink?for=12442" title="Pages that link to Topic awaiting preservation: Dynamic Images? (Page 1 of 1)" rel="nofollow" >Topic awaiting preservation: Dynamic Images? <span class="small">(Page 1 of 1)</span>\$

Synthetic
Paranoid (IV) Inmate

From: under your rug,
Insane since: Jul 2001

posted 09-22-2002 11:51

Ok i've been hearing for a while that there is several security risks in allowing dynamic images on forums.
some forums don't allow them at all for that reason.

I'm having trouble figuring out why? What are the (in any) dangers in that?

Like say I wanted to use

code:

[ IMG ] [url=http://www.site.com/image.php?img.gif]http://www.site.com/image.php?img.gif[/url]  [ /IMG ]

or something to that general effect to rotate images...

is there any danger of someone being able to load a remote script though that or something? if not then what's all the fuss about? Sorry if it seems like a newbie question, but it's been bugging me for a while lol

(edit = had to add spaces, darn thing kept trying to parse an image even inside the code tags err.....)

[This message has been edited by Synthetic (edited 09-22-2002).]

genis
Paranoid (IV) Inmate

From: Dallas, TX
Insane since: Aug 2002

posted 09-22-2002 23:23

I can't think of anything.
If it is in an image tag, and the browser can't register it as one of its recognized formats, it usually just doesn't render it.

sheepnepeople
Nervous Wreck (II) Inmate

From:
Insane since: Oct 2002

posted 10-11-2002 17:56

maybe if they did something like http://www.site.com/image.php?../../etc/passwd

I remember a while ago a post had some links to articles explaining how you can prevent things like this happening in php. I think the exploits were more like initializing a variable in the script and that this wouldn't happen if you used local variables instead of global.

InI
Paranoid (IV) Mad Scientist

From: Somewhere over the rainbow
Insane since: Mar 2001

posted 10-11-2002 18:11

The poster has demanded we remove all his contributions, less he takes legal action.
We have done so.
Now Tyberius Prime expects him to start complaining that we removed his 'free speech' since this message will replace all of his posts, past and future.
Don't follow his example - seek real life help first.

Emperor
Maniac (V) Mad Scientist with Finglongers

From: Cell 53, East Wing
Insane since: Jul 2001

posted 10-11-2002 18:59

InI: Alarmism is a good reaction to the slack security of the majority of us

These issues have come up before so I started a FAQ on PHP security issues:

What are the security problems with using PHP and how can I fix them?

___________________
Emps

FAQs: Emperor

Synthetic
Paranoid (IV) Inmate

From: under your rug,
Insane since: Jul 2001

posted 10-17-2002 19:01

thanks guys most informative