Vulneravilidad filtering forums smf 1.1.7 and 1.1.8

[Jbyte]

The vulneravilidad is the misconfiguration that give managers the forums Fitr is the url that you can upload avatars comom which should only be allowed to upload images but can be found and put in the url that contains php files for example:

I think a post on a forum and want to know the ip, operating system and browser of the person to entonses just seen my post in the url for my avatar instead of a url as normal hxxp:xxxx.com/miavatar [nonactive] serious. jpg hxxp:xxxx.com/pirata.php [nonactive] be placed where the code into code that pirata.php serious dimension as before would not see the ip, operating systems and browsers and other application that we can program in php code q rioja rioja would happen again the next person to open up our post pirata.php who would run up emos in our website which we want to keep the data drawn from the person accessing our post.

[karlbenson]

This is not a bug.  This is definately not a vulnerability nor exploit.
This is how the internet works.

The user could even use undetectable apache redirects so
http://site.com/image.jpg actually loads http://site.com/script.php
In which case it would still be possible to for the user to log the ip/os/browser.

The image host NEEDS the ip to know where to send the image request back to.

If you don't want this information to be logged, the ONLY way to prevent it is to DISABLE [img] bbcode tag entirely AND DISABLE external avatars.