lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <43308fae.24b07b76.2f19.ffffa634@mx.gmail.com>
Date: Tue Sep 20 23:39:55 2005
From: pvnick at gmail.com (Paul)
Subject: phpBB 2.0.17 remote avatar size bug

I agree. This is not a security issue. If you can get that same image to
install a virus on the server, then make a deal out of it. Until then, don't
waste our time.

Paul
Greyhats Security
http://greyhatsecurity.org


-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Brian
Dessent
Sent: Tuesday, September 20, 2005 4:12 PM
To: full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] phpBB 2.0.17 remote avatar size bug

SmOk3 wrote:

> I don't want to criticize the phpBB coders, but why is it dificult to
> check out the size
> of a image and telling the user that that size of image it's not
> possible, or even block the
> size on the viewtopic table, something like that.

Having phpbb check the image size would add no security whatsoever.  The
malicious user could place the image on a server that uses mod_rewrite
or PHP (or whatever...) to send a nice 100 x 75 image of a kitty cat
when the phpbb server requests the image, and a 4000x3000 gaping goatse
to everyone else.  There is absolutely no way for phpbb to be able to
enforce the size of images hosted on remote machines.  All it can do is
specify the width and height attributes of the IMG tag when it displays
the image.

Brian
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ