MyBB

newuserhere · (This post was last modified: 2012-05-27, 07:53 PM by newuserhere.)

Ok, so there is a major bug in most forum software, mybb not being the only one.

If I add and invisible image like this: [img ]http://tools.dynamicdrive.com/password/example/[/img]

with the code being:

[img]http://tools.dynamicdrive.com/password/example/[/img]

...users are greeted with an annoying dynamic password popup.

This can be done with different types of php scripts, and can lead to phishing.

If this is on someone's sig (or multiple sigs), this could really become an issue (even more-so than on a thread/post).

Is there a way, using MyCode to check that all links end with an extension when followed by [/img]?

Vazity · 2012-05-27, 07:49 PM

Just add http://tools.dynamicdrive.com/password/example/ to word filter and it will not work, i guess.

Nathan Malcolm · (This post was last modified: 2012-05-27, 07:51 PM by Nathan Malcolm.)

It's not a bug. I can also get your IP and useragent by adding a fake image in my signature. There's no way around that.

I could rewrite, using mod_rewrite, password.php to password.html so blocking extensions won't work. If users are doing such a thing, ban them. If they're not, don't worry about it too much.

This was brought up in the past but there's nothing really you can do about it.

newuserhere · 2012-05-27, 07:56 PM

(2012-05-27, 07:51 PM)Nathan Malcolm Wrote: It's not a bug. I can also get your IP and useragent by adding a fake image in my signature. There's no way around that.

I could rewrite, using mod_rewrite, password.php to password.html so blocking extensions won't work. If users are doing such a thing, ban them. If they're not, don't worry about it too much.

This was brought up in the past but there's nothing really you can do about it.

Anyway to make a MyCode that checks for an extension when a link is followed by an [img] tag?

Nathan Malcolm · 2012-05-27, 08:01 PM

Did you read my post? It won't work. If I rewrite password.php to password.gif, and only png, gif, and jpg extensions are allowed, it'll still pass the filter and the popup will still show.

Infact, I wouldn't even need to rewrite the file. I could link to a non existent image in a password protected directory as Apache checks for authentication before checking for validity of the request.

newuserhere · (This post was last modified: 2012-05-27, 08:06 PM by newuserhere.)

(2012-05-27, 08:01 PM)Nathan Malcolm Wrote: Did you read my post? It won't work. If I rewrite password.php to password.gif, and only png, gif, and jpg extensions are allowed, it'll still pass the filter and the popup will still show.

Infact, I wouldn't even need to rewrite the file. I could link to a non existent image in a password protected directory as Apache checks for authentication before checking for validity of the request.

oh... sorry...

Is there a way to block it via htaccess?

(2012-05-27, 08:01 PM)Nathan Malcolm Wrote: Did you read my post? It won't work. If I rewrite password.php to password.gif, and only png, gif, and jpg extensions are allowed, it'll still pass the filter and the popup will still show.

Infact, I wouldn't even need to rewrite the file. I could link to a non existent image in a password protected directory as Apache checks for authentication before checking for validity of the request.

I tried to ask for help from this site: http://forumpromotion.net (before posting here), and they have it so that the system tries to get the size of the image. Since the site was unable to detect the size, I was unable to post my thread until I deleted the image tag... any way to do something similar with mybb?

Login
Username:
Password:	Lost Password?
	Remember me