Avoid .php in [IMG]



Hello, I would like help about a famous bug that happen on any forum software.

That bug is the following :
- A user made a PHP pages on his own server, that steel any visitor's IP adress.

That user embed that pages in BB Code.

So, is there a way to forbid for example .php codes. Is there a way to fix that withou disabling the whole IMG BB Code.


Jake Bunce

XenForo moderator
Staff member
The problem is that limiting the file extension for IMG locations doesn't protect you. A gif extension can be rewritten to a PHP script. There is no way to protect against this without disabling the IMG tag entirely which requires an addon.

edit - ninjaaaa


You don't need to put it in a directory, you can just have a signature.gif that's actually a php file, which stores referrer data to a database, and spit out the real signature.gif. None the wiser.