News:

Join the Facebook Fan Page.

Main Menu

Hacking with BBCODES

Started by supahben, January 05, 2010, 01:36:19 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

supahben

January 05, 2010, 01:36:19 AM
one of my members has a signature like this:

Code Select
[img]http://mysite.com/index.php?theme=1[/img]
[img]http://www.mysite.com/index.php?theme=1[/img]

the good thing is only admin has the privilege to change themes... so whenever i (i am the admin) see him with his siggy on a page, i am always being changed to the default theme...

how do i prevent such cases?

* * *

i also have censored words on my forum but i found a way to bypass it...

for example...

the censored word is great

i would just do it like this

Code Select
g[b][/b]reat and it will still show great

how to mend that?

Aleksi "Lex" Kilpinen

#1
January 05, 2010, 01:44:24 AM
Hi, exactly what version are you running? :)
Slava
Ukraini!
"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

supahben

#2
January 05, 2010, 01:52:06 AM
Quote from: LexArma on January 05, 2010, 01:44:24 AM
Hi, exactly what version are you running? :)
v.1.1.11

Aleksi "Lex" Kilpinen

#3
January 05, 2010, 02:01:59 AM
Quote from: supahben on January 05, 2010, 01:52:06 AM
Quote from: LexArma on January 05, 2010, 01:44:24 AM
Hi, exactly what version are you running? :)
v.1.1.11
Tested and confirmed the IMG thing works. :(
For now, perhaps you should just remove those "images" from your users signature, and warn him or ban him - it's up to you.


Slava
Ukraini!
"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

supahben

#4
January 05, 2010, 02:16:34 AM
Quote from: LexArma on January 05, 2010, 02:01:59 AM
Quote from: supahben on January 05, 2010, 01:52:06 AM
Quote from: LexArma on January 05, 2010, 01:44:24 AM
Hi, exactly what version are you running? :)
v.1.1.11
Tested and confirmed the IMG thing works. :(
For now, perhaps you should just remove those "images" from your users signature, and warn him or ban him - it's up to you.

lol... maybe theres some tweak on Subs.php or somewhere on the source file that can check if the hotlinked image exists or not.. if not, it will display an image (telling it doesnt exist) located on the server

check this out:
http://www.zann-marketing.com/developer/20051128/check-if-external-image-exists.html
that one uses GD library but i dont how to modify files on the source directory..

Aleksi "Lex" Kilpinen

#5
January 05, 2010, 02:17:17 AM
The problem is, that a .php file can be an image, and your own index.php most certainly exists.
Slava
Ukraini!
"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

supahben

#6
January 05, 2010, 07:15:49 AM
Quote from: LexArma on January 05, 2010, 02:17:17 AM
The problem is, that a .php file can be an image, and your own index.php most certainly exists.
I have an idea... how about doing this:

http://php.net/manual/en/function.getimagesize.php
Quote...and the correspondant HTTP content type.

we can check for the MIME type of the external image (idk how... but some coder here can do this) then check if it is present in an array of verified img file types (that can be hotlink-ed ) like this one:


Quote11.
'image/gif' => 'gif',
12.
'image/jpeg' => 'jpeg',
13.
'image/png' => 'png',
14.
'application/x-shockwave-flash' => 'swf',
15.
'image/psd' => 'psd',
16.
'image/bmp' => 'bmp',
17.
'image/tiff' => 'tiff',
18.
'image/tiff' => 'tiff',
19.
'image/jp2' => 'jp2',
20.
'image/iff' => 'iff',
21.
'image/vnd.wap.wbmp' => 'bmp',
22.
'image/xbm' => 'xbm',
23.
'image/vnd.microsoft.icon' => 'ico'

then if it is, display it... what are your insights about my idea?

Aleksi "Lex" Kilpinen

#8
January 05, 2010, 07:18:35 AM
Quote from: supahben on January 05, 2010, 07:15:49 AM
then if it is, display it... what are your insights about my idea?
I'm no coder myself either, but I've already tipped our devs of this, and I'll let them know of your suggestion as well. :)
Slava
Ukraini!
"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

supahben

#9
January 05, 2010, 07:21:34 AM
Quote from: LexArma on January 05, 2010, 07:18:35 AM
Quote from: supahben on January 05, 2010, 07:15:49 AM
then if it is, display it... what are your insights about my idea?
I'm no coder myself either, but I've already tipped our devs of this, and I'll let them know of your suggestion as well. :)
Thanks :D That's the FOSS spirit :D
Print
Go Up Pages1
User actions
Advertisement: