Possible to use external url as avatar?

Akam

Member
for phpbb, user can use external url for avatar. for this option avatar does not store on local server, avatar shows from that url. is this feature available on xenforo? i could not find any such option on my demo xenforo.
 

ShikiSuen

Well-known member
for phpbb, user can use external url for avatar. for this option avatar does not store on local server, avatar shows from that url. is this feature available on xenforo? i could not find any such option on my demo xenforo.
This introduces risks of cross-site attack.
Some well-crafted image files can execute malicious codes on the clients' side.
 

ShikiSuen

Well-known member
could you please explain a bit how that can be happen?
I am not that expert enough to explain this to you clearly but just letting you know how danger this is.
You can always consult a web-server security consultant.

Unless one situation (theoreotically)... define external data folder to someplace which is a mounted remote folder.
 

beerForo

Well-known member
These will upload it from a URL:
 

Vekseid

Active member
could you please explain a bit how that can be happen?
Older versions of Internet Explorer had a bug that would run scripts in any embedded file they found.

I ended up forcing even signature images to be local on my own forum because the stuff people put in their signatures would often slow down the entire page.
 

ShikiSuen

Well-known member
These will upload it from a URL:
"Upload from URL" is acceptable, as long as XenForo can extract only image data from the URL-uploaded file to generate local avatar file copies.
"Direct link from external URL" is dangerous as what @Vekseid said in #7.
 
Top