Avoid .php in [IMG]

  • Thread starter Thread starter account8226
  • Start date Start date
A

account8226

Guest
Hello, I would like help about a famous bug that happen on any forum software.

That bug is the following :
- A user made a PHP pages on his own server, that steel any visitor's IP adress.

That user embed that pages in BB Code.

So, is there a way to forbid for example .php codes. Is there a way to fix that withou disabling the whole IMG BB Code.

Regards.
 
Sort by date Sort by votes
even if you forbid php files, the "bad boy" could use htaccess to rewrite the url

http://davidejones.com/blog/1126-creating-dynamic-signature-image-php/

also "normal images" like
badteeth.gif
can be used to get your ip address, because it's saved it the server log
 
Upvote 0 Downvote
The problem is that limiting the file extension for IMG locations doesn't protect you. A gif extension can be rewritten to a PHP script. There is no way to protect against this without disabling the IMG tag entirely which requires an addon.

edit - ninjaaaa
 
Upvote 0 Downvote
You don't need to put it in a directory, you can just have a signature.gif that's actually a php file, which stores referrer data to a database, and spit out the real signature.gif. None the wiser.
 
Upvote 0 Downvote
You must log in or register to reply here.

Similar threads

Digital Jedi
  • Question Question
XF 2.2 PHP in a Page Node
Replies
5
Views
687
PostalPanda
P
Nicky
  • Solved
XF 2.1 Additional PHP in Page Node callback
Replies
5
Views
1K
Nicky
Nicky
snoopy5
  • Question Question
XF 1.5 how to avoid images in conversations?
Replies
2
Views
348
Paul B
Paul B
Earl
  • Question Question
XF 2.0 Using protocol-independent absolute path in [IMG] tags
Replies
0
Views
349
Earl
Earl
CyberAP
  • Suggestion Suggestion
Lack of interest Support for SVG in img tags
Replies
2
Views
735
CyberAP
CyberAP
Top Bottom