MyBB Community Forums

Full Version: CF/Cloudflare Bypass Help
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Okay so there is a easy exploit to bypass Cloudflare by displaying a image in a post/pm/signature/avatar with an iplogger script. It will display the servers REAL IP Address, and anyone who viewed the displayed picture. What I think is happening is Mybb is checking the image size therefore the site is viewing the image not cloudflares services. How would I go about fixing this? I know Phpbb has the same problem with "getimagesize($in);"

I appreciate anyone who helps Smile
Unfortunately that's pretty impossible to get around we check the image size for several reasons (one of which is to ensure its a valid image IIRC).
I posted this in the private forum of MyBB, but they said the returned IP is not the server's one, but the user itself. Not sure which one is correct though.
(10-04-2014, 06:50 AM)Euan T Wrote: [ -> ]Unfortunately that's pretty impossible to get around we check the image size for several reasons (one of which is to ensure its a valid image IIRC).

So there is no real way 2 make it so that when a Image is displayed you can block the IP Logger script? Because most of the Scripts are you view an image, and redirects 2 a PHP file which then runs the code to trace the IP Address of anyone who viewed that picture on that server through .htaccess rules.


I found a slight solution was 2 block common IP Logging sites through word filters. Ex: iplogger.org
Which now outputs nothing on iploggers end.
(10-04-2014, 08:17 AM)Zimton Wrote: [ -> ]So there is no real way 2 make it so that when a Image is displayed you can block the IP Logger script?

Servers always log information about each request (IP address, browser information and referrer if provided) and it makes no difference if there is some script present at the other end or if it is only an image file.
(10-04-2014, 07:24 AM)Mitko Wrote: [ -> ]I posted this in the private forum of MyBB, but they said the returned IP is not the server's one, but the user itself. Not sure which one is correct though.

If it is just an img my code, it will only log the viewing user's IP Address. If the image is being retrieved by the server and checked using getimagesize() (as OP's post seems to indicate), obviously the server's IP will be logged. I may have misunderstood the OP though. 
(10-04-2014, 06:37 AM)Zimton Wrote: [ -> ]Okay so there is a easy exploit to bypass Cloudflare by displaying a image in a post/pm/signature/avatar with an iplogger script. It will display the servers REAL IP Address, and anyone who viewed the displayed picture. What I think is happening is Mybb is checking the image size therefore the site is viewing the image not cloudflares services. How would I go about fixing this? I know Phpbb has the same problem with "getimagesize($in);"

I appreciate anyone who helps Smile

I'm pretty sure the only time MyBB loads the image from the remote server is for avatars, to get the size. All the other places you mention will only show the visitors IP address. To stop your server accessing the images you could strip out the remote avatar feature (noting that just removing it from templates won't stop someone who is determined - you'll need to remove it from the actual codebase), or I guess you could use a different server to act as a proxy for loading external images - that'll probably also result in messing around with the codebase.