(2013-03-17, 09:04 PM)pavemen Wrote: [ -> ]what IP are you worried about? The server's IP is public and your IP is different than the server's and you are giving every site you visit that IP. Plus, unless you are the only person viewing that page ever they don't know it was you that viewed the the image/script from their server as its just an IP and a timestamp.
Well, they can easily figure out who visited the page, for example if a forum contains a section to contact staff/admins, only admin will view the thread, therefore all IPs will be either staff or admin.
then that is part of your operational security you need to enforce with your staff such as no links, or images or anything other than text in those forums or you remove all mycode and html from those specific forums to help mitigate it.
you are worrying about things that do not matter. secure your server, secure your home router/network and get on with life. i can find your IP just by scanning all possible IPs. sooner or later I will hit yours.
use a proxy service if you must. either way you are just looking for a solution to a problem that does not really exist
What is the chance of getting my IP by scanning the whole IP range? And what is the chance of getting my IP this way..... I only look for help how to disallow .php files in [IMG] tag.
buts its not just php files. If you put any link in an IMG tag, then MyBB (and any other forum software) is going to turn it into an external HTTP request to whatever URL was provided, no matter the MIME type or file extension. That request will be stored on the remote server's access logs.
![[Image: logo_square.png]](https://camo.mybb.com/a092f3d69a5effef05efbf91824b62b91e91a644/687474703a2f2f7777772e636f6d6d756e697479706c7567696e732e636f6d2f666f72756d2f696d616765732f6d696e696d616c2f6c6f676f5f7371756172652e706e67)
![[Image: www.communityplugins.com]](https://camo.mybb.com/26a59aad8b13690d24cf13d21cee78a7e3e88081/687474703a2f2f7777772e636f6d6d756e697479706c7567696e732e636f6d2f)
now I have your IP address, twice.. Once with a valid image call and once with the bad request. So it does not matter what is being called in the tags, the external HTTP request happens regardless.
(2013-03-19, 10:19 PM)Master Mind Wrote: [ -> ]What is the chance of getting my IP by scanning the whole IP range? And what is the chance of getting my IP this way..... I only look for help how to disallow .php files in [IMG] tag.
As I said above, it's easier said than done. There is no easy way around this without downloading and checking the MIME types of
everything posted in the [img] ta
gs.
(2013-03-20, 07:31 AM)Euan T. Wrote: [ -> ] (2013-03-19, 10:19 PM)Master Mind Wrote: [ -> ]What is the chance of getting my IP by scanning the whole IP range? And what is the chance of getting my IP this way..... I only look for help how to disallow .php files in [IMG] tag.
As I said above, it's easier said than done. There is no easy way around this without downloading and checking the MIME types of everything posted in the [img] ta
gs.
and as I said, it still won't matter, even if it is a valid image type, the request is still hitting the remote server so they have his IP anyway.
You're right paveman, I understand what you meant now, this is really hard to prevent unfortunately..