MyBB Community Forums

(2016-11-28, 08:19 AM)labrocca Wrote: [ -> ]Nope.  That setting is strictly for uploading avatars as it says.  You can still use a remote avatar.  Actually I don't even think MyBB has an option for "no avatar."  So maybe that's why you're confused about what I said.

I installed that Gravatar plugin. Worked well enough but ultimately went with a custom solution.

Ah! That's it. Thanks for the clarification, I'll file it in "TIL"

We interface with Gravatar directly; so uploading avatars isn't an issue for us.

(2016-11-28, 08:19 AM)labrocca Wrote: [ -> ]

Quote: AFAIK "Can Upload Avatars" is for any and all avatars

Nope.  That setting is strictly for uploading avatars as it says.  You can still use a remote avatar.  Actually I don't even think MyBB has an option for "no avatar."  So maybe that's why you're confused about what I said.

I installed that Gravatar plugin. Worked well enough but ultimately went with a custom solution.

Quote:Yes, that's easy if you are an administrator who knows what they're doing

But as you continue to say, they still can expose their IP via email service and most likely bad plugins.  Realistically you just can't expect low-skilled admins using HF to be running servers. At best they'll use a VPN or cloud service.

Quote:A single setting to prevent requests to external sites is hardly any effort at all and saves us from a lot of people asking the same question over and over.

And how does this single setting work to prevent the exposure of a server IP? Again, the original request is for the removal of avatar uploads as a setting, and it already exists. Seems redundant to add a feature to a planned feature list when it already exists. And in its current form as a group permission its much better than a global disabling of avatar uploads.  You may want to have a trusted group like the Admins still have avatar upload access.

Oh, fyi I just saw that Gravatar was added to MyBB 1.8x as a default option. I may need to toy with it to see how it's implemented.  But still, Gravatar would not expose your IP so that should be safe to use.

My understanding of the original question (badly worded as it is) is to disable the use of remote avatars from URLs (as MyBB then downloads the file to check the file type and dimensions, exposing the server IP). Uploading an avatar via a file upload shouldn't cause a problem. The setting allows the use of uploads only, disabling remote avatars of any kind. I've already implemented this and it's sitting as a Pull Request on the 1.8 branch ready for 1.8.9.

Quote:Uploading an avatar via a file upload shouldn't cause a problem.

That exposes IP.

Quote:as MyBB then downloads the file to check the file type and dimensions, exposing the server IP

That can be disabled in acp but yes, the dimension checking causes IP exposure.

And again, so does the email system by default.

Quote:The setting allows the use of uploads only

Again, MyBB already has this as a group setting. If you think adding a global setting solves something then by all means add it to MyBB. My view is that the feature already exists and that it doesn't solve the problem of IP exposure anyways.

(2016-11-28, 10:48 PM)labrocca Wrote: [ -> ]

Quote:Uploading an avatar via a file upload shouldn't cause a problem.

That exposes IP.

Quote:as MyBB then downloads the file to check the file type and dimensions, exposing the server IP

That can be disabled in acp but yes, the dimension checking causes IP exposure.

And again, so does the email system by default.  

Quote:The setting allows the use of uploads only

Again, MyBB already has this as a group setting.  If you think adding a global setting solves something then by all means add it to MyBB.  My view is that the feature already exists and that it doesn't solve the problem of IP exposure anyways.

Hi,

I think I'm getting confused here. When I talk about uploading an avatar, I mean this:



I've never heard about file uploads like that leaking the server IP address and did some quick Googling with no luck - could you please enlighten me? I'm not saying you're wrong, just surprised I've never heard about this being a problem.

I've also looked at a fresh install of MyBB 1.8.8 and can't see any user group settings to disable the usage of a remote avatar - the input box is hardcoded in the templates in 1.8.8 for remote avatars. I did find an option to disable the upload of avatars (the input box shown in the above screenshot), which is the method that people usually want to retain:



I also couldn't find the setting you mentioned to disable the checking of remote avatar files in 1.8.8. The code that handles this type of avatar can be found here: https://github.com/mybb/mybb/blob/featur....php#L2078

As you can see, the system simply downloads whatever file is linked to in the input file (in case I'm getting confused, the input field shown here) no matter what - which will lead to disclosure of the server's IP address (the thing that we are trying to prevent happening).

And yes, you're correct. The IP will still leak in email headers. There's nothing we can do about that from our side though - that's just the way email servers tend to work out of the box.

Quote:I also couldn't find the setting you mentioned to disable the checking of remote avatar files in 1.8.8.

As far as I know there is no setting to disable remote avatars only avatar uploads.

Quote:And yes, you're correct. The IP will still leak in email headers.

Which is why this "planned feature" needs to be unplanned. The entire purpose cited by OP is nulled.

The problem is solved from a coding perspective at fetch_remote_file. It will continue to be an issue until that's solved. Email solutions can be provided by using certain SMTP providers that won't leak your IP or by also using an proxy/tunnel.

IP server hiding goes beyond what the MyBB software is able to do. It will require actual system administration skills.

(2016-11-29, 10:50 PM)labrocca Wrote: [ -> ]

Quote:I also couldn't find the setting you mentioned to disable the checking of remote avatar files in 1.8.8.

As far as I know there is no setting to disable remote avatars only avatar uploads.

That's why there's a Pull Request for it.

Quote:

Quote:And yes, you're correct. The IP will still leak in email headers.

Which is why this "planned feature" needs to be unplanned.  The entire purpose cited by OP is nulled.

The problem is solved from a coding perspective at fetch_remote_file. It will continue to be an issue until that's solved. Email solutions can be provided by using certain SMTP providers that won't leak your IP or by also using an proxy/tunnel.

IP server hiding goes beyond what the MyBB software is able to do. It will require actual system administration skills.

Remote avatar checking is one of the places where the address is leaked, so once the forum administrator sets up the mailing system correctly (secure bulk mailing provider as mentioned or using own separate server - to send it from there or to forward it to a third party that does disclose the originating address) this feature becomes problematic because it cannot be disabled without modifications (in 1.8).

Forum administrators may want to make users upload their own avatars without making it possible to use remote resources, and securing the forum with HTTPS is not the only reason.

Actually I utilize a secure bulk mailing provider for emails so the remote avatar feature is the only feature that can be abused to expose the server's IP Address in my case.

Quote:Actually I utilize a secure bulk mailing provider for emails so the remote avatar feature is the only feature that can be abused to expose the server's IP Address in my case.

So what happens when a plugin uses fetch_remote_file function of MyBB? Your IP and any previous attempts to hide it will be nulled and your IP exposed.

Fix fetch_remote_file and you fix these problems for the software and any plugins that use it.