Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Disable remote avatar uploads...
#1
As many other websites do my website utilizes an HTTPS Reverse Proxy to perform filtering against DDoS Attacks, for example MyBB.com uses CloudFlare. However with websites like "iplogger dot com" which can produce an image URL. We risk the backend IP Addresses of forums being leaked to attackers.

A few solutions:
1) Blocking off bad hosts isn't enough as more and more domains will be registered to aid these tools. Check out this Imgur Album (http://imgur.com/a/vHUyo) to see my attempt at simply blocking bad hosts used to resolve my backend IP Address.
2) Blocking outgoing port 80 and 443 with Firewall (this stops Linux's ability to install updates)
3) Disable the curl_init, and fsockopen; PHP functions. I quickly found out this broke the password reset via email functions so I had to allow them.
4) Removal of the code from theme templates (this should stop it but every new theme my designer makes I have to remove the remote upload code).

As shown above there isn't a simple solution to the problem. The ability to disable remote avatar uploads would be very helpful.
Software Engineer specializing in Crystal Program Development

Reply
#2
Quote:The ability to disable remote avatar uploads would be very helpful.

You can do that on a per group basis already with MyBB. "Can upload avatars?" is the option.
Reply
#3
(11-26-2016, 03:08 AM)labrocca Wrote:
Quote:The ability to disable remote avatar uploads would be very helpful.

You can do that on a per group basis already with MyBB.  "Can upload avatars?" is the option.

That's setting it globally, rather than just remote avatars (IE: a service like Gravatar or direct linked)
[Image: kAhpvOW.png]
Reply
#4
This is actually planned for 1.8.9, and will be carried forwards to 2.0.
Reply
#5
Hi,

Your feature suggestion has been accepted as a planned feature to be implemented in MyBB 2.0. Thanks for your contribution!
Reply
#6
(11-26-2016, 03:42 AM)Ben Cousins Wrote:
(11-26-2016, 03:08 AM)labrocca Wrote:
Quote:The ability to disable remote avatar uploads would be very helpful.

You can do that on a per group basis already with MyBB.  "Can upload avatars?" is the option.

That's setting it globally, rather than just remote avatars (IE: a service like Gravatar or direct linked)

I was just about to point that out.

(11-26-2016, 12:49 PM)Euan T Wrote: This is actually planned for 1.8.9, and will be carried forwards to 2.0.

Awesome glad to see it's going to happen sooner rather than later Smile

(11-26-2016, 12:50 PM)Euan T Wrote: Hi,

Your feature suggestion has been accepted as a planned feature to be implemented in MyBB 2.0. Thanks for your contribution!

No problem Smile
Software Engineer specializing in Crystal Program Development

Reply
#7
Quote:The ability to disable remote avatar uploads would be very helpful.

Again, we have this for a group permission.

Quote:That's setting it globally, rather than just remote avatars (IE: a service like Gravatar or direct linked)

No, it's not a global setting. It's per-group. I think maybe you're just not aware it's there.

"Can upload avatars?" is the option in group permissions under the "Users and Permissions" tab.

I have had this enabled on my 1.6x forum for years. I only allow uploaded avatars to certain groups.

What is a problem though is that even if the group doesn't have permission to upload an avatar the page still gives them the Upload Avatar option and only after they attempt to upload does it error_no_perm. That 100% needs to change. The upload box shouldn't be there is the group doesn't have permission.

Quote:Your feature suggestion has been accepted as a planned feature to be implemented in MyBB 2.0. Thanks for your contribution!

Dude, it's already part of MyBB.

I think you guys misunderstand that the solution is already there and this suggestion should be implemented in an even smarter way.

1. Add new setting for a Curl Proxy.
2. Make sure fetch_remote_file uses the setting.
3. DONE!

Anyone can then just use an SSH tunnel or other proxy for fetch_remote_file which is the ONLY function which can expose your IP that I'm aware of. Plugins could be a different story though.

This is one problem I solved years ago.
Reply
#8
Yes, that's easy if you are an administrator who knows what they're doing, but a vast majority of our users don't want to get their hands dirty at all and want an out of the box solution. A single setting to prevent requests to external sites is hardly any effort at all and saves us from a lot of people asking the same question over and over.

The server IP can still be exposed in emails sent from the forum if you're using an email service that doesn't hide that information, but there's nothing we can do about that.
Reply
#9
(11-27-2016, 09:13 PM)labrocca Wrote: No, it's not a global setting.  It's per-group. I think maybe you're just not aware it's there.

"Can upload avatars?" is the option in group permissions under the "Users and Permissions" tab.

I have had this enabled on my 1.6x forum for years.  I only allow uploaded avatars to certain groups.  

What is a problem though is that even if the group doesn't have permission to upload an avatar the page still gives them the Upload Avatar option and only after they attempt to upload does it error_no_perm. That 100% needs to change.  The upload box shouldn't be there is the group doesn't have permission.

Badly phrased. I apologise.

You're missing my point, though. Users want avatars uploaded to the site only rather than through gravatar. AFAIK "Can Upload Avatars" is for any and all avatars, rather than deciding whether or not to have them remote or on the server...

Of course, this could exist and I not be aware. I don't run a MyBB board, and my knowledge of the ACP is rather hazy. Please forgive me if I am making an idiot of myself.
[Image: kAhpvOW.png]
Reply
#10
Quote: AFAIK "Can Upload Avatars" is for any and all avatars

Nope. That setting is strictly for uploading avatars as it says. You can still use a remote avatar. Actually I don't even think MyBB has an option for "no avatar." So maybe that's why you're confused about what I said.

I installed that Gravatar plugin. Worked well enough but ultimately went with a custom solution.

Quote:Yes, that's easy if you are an administrator who knows what they're doing

But as you continue to say, they still can expose their IP via email service and most likely bad plugins. Realistically you just can't expect low-skilled admins using HF to be running servers. At best they'll use a VPN or cloud service.

Quote:A single setting to prevent requests to external sites is hardly any effort at all and saves us from a lot of people asking the same question over and over.

And how does this single setting work to prevent the exposure of a server IP? Again, the original request is for the removal of avatar uploads as a setting, and it already exists. Seems redundant to add a feature to a planned feature list when it already exists. And in its current form as a group permission its much better than a global disabling of avatar uploads. You may want to have a trusted group like the Admins still have avatar upload access.

Oh, fyi I just saw that Gravatar was added to MyBB 1.8x as a default option. I may need to toy with it to see how it's implemented. But still, Gravatar would not expose your IP so that should be safe to use.
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)