Lack of interest disable sending images (IMG tag) in conversations...

[topcat]

unless I have missed this option and its already there,

as the title says, I would like the option to disable sending images in pm's

is there an easy way to do this with temp edit??

 

[Paul B]

Attchments in conversations is a permission.

 

[topcat]

not the same, even if attachments are disabled in conversations it doesn't stop people from clicking the insert image icon and inserting an image into a conversation

Without being able to disable this function, its possible for members to obtain ip's of other members very easily.

 

[Amaury]

not the same, even if attachments are disabled in conversations it doesn't stop people from clicking the insert image icon and inserting an image into a conversation

Without being able to disable this function, its possible for members to obtain ip's of other members very easily.

By inserting an image, it's possible for others users to obtain another user's IP address? Um... no. I don't see how that's even remotely possible.

 

[AndyB]

unless I have missed this option and its already there,

as the title says, I would like the option to disable sending images in pm's

is there an easy way to do this with temp edit??

Is there a particular reason you want to disable the [i m g] code in Private Conversations?

 

[Daniel Hood]

By inserting an image, it's possible for others users to obtain another user's IP address? Um... no. I don't see how that's even remotely possible.

You can insert an image that is a php file which gathers data before rendering the image.

 

[topcat]

You can insert an image that is a php file which gathers data before rendering the image.

you can do it by just inserting a plain image

 

[topcat]

Is there a particular reason you want to disable the [i m g] code in Private Conversations?

see above

 

[AndyB]

you can do it by just inserting a plain image

From what I understand this can only occur if the forum software doesn't do basic checks for a valid image. Have you seen this exploit on Xenforo forums actually work?

 

[topcat]

yes just done is to Amaury lol

only way to stop it is to give option to disable img code in conversations.

then with it disabled from usergroup permissions if some one wanted to send an img they would have to type the url and it would be up to the person recieving the pm whether they wanted to visit that url or not, but it would be at their own risk and probably if they trusted the sender

 

[AndyB]

yes just done is to Amaury lol

Sorry I don't know what you mean by this?

 

[Jeremy]

Its not really an exploit; you are accessing a file from a server (be it an attachment or located elsewhere), your IP address will most likely appear in the server access log. That is standard on pretty much every server.

 

[topcat]

Sorry I don't know what you mean by this?

Amaury the user above said it wasn't possible so i sent hm and image and told him his ip

 

[topcat]

Its not really an exploit; you are accessing a file from a server (be it an attachment or located elsewhere), your IP address will most likely appear in the server access log. That is standard on pretty much every server.

true but on vbulletin you can disable the img tag in pm's

never said it was an exploit just asked for the option to disable the img tag for x usergroup

 

[AndyB]

Amaury the user above said it wasn't possible so i sent hm and image and told him his ip

Please send me this image too me in a Private Conversation, I'd like to see it too.

 

[SignTorch]

an image can be any script that returns an image header and image data, the viewer sees the image, the script can see the viewer's IP.... that's why many email readers don't show images without viewer approval

 

[psTubble27]

an image can be any script that returns an image header and image data, the viewer sees the image, the script can see the viewer's IP.... that's why many email readers don't show images without viewer approval

Isn't it much simpler than that? You could do it with the regular image, which the victim would request to show and the host would record what IP the request came from. That's probably the more straightforward reason why most mail clients prevent image-loading unless approved.

 

[SignTorch]

No it can't be any simpler.

fclose(fwrite(fopen("my-IP-stash.dat","a"),"\r\n{$_SERVER[REMOTE_ADDR]}"));
 header("content-type: image/gif");echo(file_get_contents("the-image.gif"));

IP recorded....

 

[xf_phantom]

Or just analize the server log and search for "the-image.gif" requests?
no coding required
no overhead

 

[sonnb]

I think you could request a custom addon for it. Many man, many mind. IMO, I am not happy if I even cannot insert an image in the PC.