1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Avoid .php in [IMG]

Discussion in 'XenForo Questions and Support' started by account8226, Apr 8, 2012.

  1. account8226

    account8226 Guest

    Hello, I would like help about a famous bug that happen on any forum software.

    That bug is the following :
    - A user made a PHP pages on his own server, that steel any visitor's IP adress.

    That user embed that pages in BB Code.

    So, is there a way to forbid for example .php codes. Is there a way to fix that withou disabling the whole IMG BB Code.

  2. ragtek

    ragtek Guest

  3. Jake Bunce

    Jake Bunce XenForo Moderator Staff Member

    The problem is that limiting the file extension for IMG locations doesn't protect you. A gif extension can be rewritten to a PHP script. There is no way to protect against this without disabling the IMG tag entirely which requires an addon.

    edit - ninjaaaa
    dieketzer likes this.
  4. dieketzer

    dieketzer Well-Known Member

  5. Floris

    Floris Guest

    You don't need to put it in a directory, you can just have a signature.gif that's actually a php file, which stores referrer data to a database, and spit out the real signature.gif. None the wiser.

Share This Page