• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Avoid .php in [IMG]

A

account8226

Guest
#1
Hello, I would like help about a famous bug that happen on any forum software.

That bug is the following :
- A user made a PHP pages on his own server, that steel any visitor's IP adress.

That user embed that pages in BB Code.

So, is there a way to forbid for example .php codes. Is there a way to fix that withou disabling the whole IMG BB Code.

Regards.
 

Jake Bunce

XenForo moderator
Staff member
#3
The problem is that limiting the file extension for IMG locations doesn't protect you. A gif extension can be rewritten to a PHP script. There is no way to protect against this without disabling the IMG tag entirely which requires an addon.

edit - ninjaaaa
 
F

Floris

Guest
#5
You don't need to put it in a directory, you can just have a signature.gif that's actually a php file, which stores referrer data to a database, and spit out the real signature.gif. None the wiser.