BugZone: Nothing's perfect...

This is a part of our Cambodia forums to chat about anything, whether it relates to Cambodia or not. This discussion forum is at the top of our site because it's usually the busiest part of the expat community chatter with random topics on just about everything, including expat life, Khmer politics, Cambodian blogs we have or have come across, or whatever else our members want to discuss. Whether you're an expatriate, tourist, Cambodian or random traveler just passing through South East Asia, you are welcome to talk about anything or start new topics yourselves.
User avatar
OrangeDragon
Site Admin
Posts: 4183
Joined: Fri May 02, 2014 8:05 pm
Karma: 6
United States of America

Re: BugZone: Nothing's perfect...

Postby OrangeDragon » Sun Nov 23, 2014 3:03 am

BOFH wrote:Navigating to the inbox nulls the "new messages" at top, I would prefer that number to show me my unread PMs. Right now it just indicates if I have navigated to the inbox since receiving my PMs.

EDIT: Even worse. Someone deleting a sent message from their outbox deletes it in my inbox.
Yeah, sadly 2 of the key shortcomings of the messaging system in PHPBB.
Jacket wrote:I've been reluctant to ask this out of fear of embarrassing myself, but how on earth do I embed YT videos? It's maybe because I'm not the most creative person but I tried literally anything that made any sense to me but it always comes out wrong. This is how my grandma must feel when she sits on the computer. Jeez.#

Code: Select all

[youtube]5555555555[/youtube]
Where the 5555555555 is the video ID from youtube.  For example, in the YT URL: https://www.youtube.com/watch?v=GXXp7uh27_E it would be the GXXp7uh27_E part.

Everything after the v= and before any & symbols. After the ? in a URL what you have is a bunch of variable names and their values, in this case v (video) is equal to GXXp7uh27_E. & symbols are how this list are joined together, like so:

Code: Select all

https://www.youtube.com/watch?v=GXXp7uh27_E&feature=player_detailpage
In that URl you wouldn't want to also include the &feature=player_detailpage part, because it's a whole new variable, not part of the video ID.
User avatar
Jacket
Expatriate
Posts: 217
Joined: Mon Nov 10, 2014 8:10 am
Karma: 3
Location: Kampong Cham
Austria

Re: BugZone: Nothing's perfect...

Postby Jacket » Sun Nov 23, 2014 3:10 am

Bei der Weiterbildung; in der Todeszone.
User avatar
Jacket
Expatriate
Posts: 217
Joined: Mon Nov 10, 2014 8:10 am
Karma: 3
Location: Kampong Cham
Austria

Re: BugZone: Nothing's perfect...

Postby Jacket » Sun Nov 23, 2014 3:12 am

I'll be damned. It actually worked. Thanks man. :) :good:
Bei der Weiterbildung; in der Todeszone.
User avatar
OrangeDragon
Site Admin
Posts: 4183
Joined: Fri May 02, 2014 8:05 pm
Karma: 6
United States of America

Re: BugZone: Nothing's perfect...

Postby OrangeDragon » Sun Nov 23, 2014 3:40 am

[bows]

Pleasure to serve.
User avatar
StroppyChops
The Missionary Man
Posts: 8564
Joined: Tue May 06, 2014 11:24 am
Karma: 156
Australia

Re: BugZone: Nothing's perfect...

Postby StroppyChops » Sun Nov 23, 2014 12:44 pm

Jacket learns a new digital skill to post Harry B. That is (genuinely) brilliant.
Bodge: This ain't Kansas, and the neighbours ate Toto!
User avatar
BOFH
Expatriate
Posts: 957
Joined: Wed Nov 19, 2014 10:27 am
Karma: 0

Re: De-anonymizing CEO users

Postby BOFH » Sun Nov 23, 2014 3:27 pm

BOFH wrote:When I acquired my avatar I noticed that this forum installation only lets you set remote avatar URIs instead of direct file uploads. This enables a very easy way to de-anonymize your users, simply by pointing the avatar to a webserver where access logs can be read and then match access log entry timestamps against post timestamps in threads where the remote avatar is loaded from.

That-other-forum makes it even easier to de-anonymize users since they load avatars into posts listed in the reply form, which this forum installation does not. On this forum one would need to match access log entry timestamps against post timestamps, thus it's still very easy to find the IP address of a poster replying to a thread in which the remote avatar occurs. (Whereas on that-other-forum one could make more accurate findings by matching both timestamps and referrals from requests sent to reply form submission page.) Anybody with their own webserver running can do it.

For example: Avatar fetched at 13:37:01 (remote access log entry) and post being registered on board at 13:37:00 makes it very easy to bind users to IP addresses.

It's unwise to trade minimal disk space and bandwidth saved on 200x200px images for security, just saying. I know it's default in phpBB, but sometimes default functions hurt you: http://archive.hack.lu/2013/dbongard_hacklu_2013.pdf" onclick="window.open(this.href);return false;

Save the users, kill remote avatars!
I am bumping this with the reason that we can increase the severity of this vulnerability.

Not only does this function leak the IP addresses of the users via remote sourced avatars, it also leaks the IP number of the server. Everytime an avatar URL is entered the webserver makes a call to the URL to check the dimensions. Ding ding ding, access log bingo!

The current IP number of the server is ###CORRECT###, and thus your Cloudflare DNS protection is void.

Perhaps now this won't be ignored any longer? :-)

Just like I said the last time, this affects that-other-forum, too. Maybe somebody can ping them before somebody pings them. Get it, eh, eh?

Code: Select all

$ curl -i -H "Host: cambodiaexpatsonline.com" ###CORRECT###
HTTP/1.1 200 OK
Date: Sun, 23 Nov 2014 08:23:22 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.5
Set-Cookie: phpbb3_mdhh51_u=; expires=Sat, 23-Nov-2013 08:23:22 GMT; path=/; domain=.cambodiaexpatsonline.com; HttpOnly
Set-Cookie: phpbb3_mdhh51_k=; expires=Sat, 23-Nov-2013 08:23:22 GMT; path=/; domain=.cambodiaexpatsonline.com; HttpOnly
Set-Cookie: phpbb3_mdhh51_sid=; expires=Sat, 23-Nov-2013 08:23:22 GMT; path=/; domain=.cambodiaexpatsonline.com; HttpOnly
Cache-Control: private, no-cache="set-cookie"
Expires: 0
Pragma: no-cache
Vary: Accept-Encoding
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
Naturally at least the verification curl can be prevented with a simple rule in iptables restricting p80 to CF balancer ranges.
User avatar
BOFH
Expatriate
Posts: 957
Joined: Wed Nov 19, 2014 10:27 am
Karma: 0

Re: BugZone: Nothing's perfect...

Postby BOFH » Sun Nov 23, 2014 3:38 pm

You have been permanently banned from this board.

Please contact the Board Administrator for more information.

A ban has been issued on your IP address.
Oh, gee, really?
User avatar
OrangeDragon
Site Admin
Posts: 4183
Joined: Fri May 02, 2014 8:05 pm
Karma: 6
United States of America

Re: BugZone: Nothing's perfect...

Postby OrangeDragon » Sun Nov 23, 2014 3:43 pm

Man... good point about the pingback for the request. (I changed your posting of the IP... no need to put it right out on the front for any residual attackers while working on the solution.)

Problem is, people uploading files directly to the server creates a legal issue of content hosted on our servers that may be of an illegal nature. If they never posted where we saw the image come up, that could create a situation if someone wanted to set us up. Perhaps the only option is then allowing upload, but forcing mod approval (and so, awareness) of each one.

But this goes deeper than just avatar files... it would then impact any linked images in any posts.
User avatar
OrangeDragon
Site Admin
Posts: 4183
Joined: Fri May 02, 2014 8:05 pm
Karma: 6
United States of America

Re: BugZone: Nothing's perfect...

Postby OrangeDragon » Sun Nov 23, 2014 3:43 pm

BOFH wrote:
You have been permanently banned from this board.

Please contact the Board Administrator for more information.

A ban has been issued on your IP address.
Oh, gee, really?
Wait... what!?

[Just checked, the IP you made the CURL post from is not in our ban list... did you switch to some proxy service by chance that may have been previously banned because of a spambot? Verified in the logs, and no bans have been issues against you.]
User avatar
BOFH
Expatriate
Posts: 957
Joined: Wed Nov 19, 2014 10:27 am
Karma: 0

Re: BugZone: Nothing's perfect...

Postby BOFH » Sun Nov 23, 2014 3:59 pm

OrangeDragon wrote:Man... good point about the pingback for the request.

Problem is, people uploading files directly to the server creates a legal issue of content hosted on our servers that may be of an illegal nature. If they never posted where we saw the image come up, that could create a situation if someone wanted to set us up. Perhaps the only option is then allowing upload, but forcing mod approval (and so, awareness) of each one.
There's no legal issue regarding copyright until you start ignoring DMCA requests. The way most sites handle this is they allow everything seemingly legal until they receive DMCA orders to pull it down, when most sites do and they're fine.

I think you'll be alright.
OrangeDragon wrote:Wait... what!?

[Just checked, the IP you made the CURL post from is not in our ban list... did you switch to some proxy service by chance that may have been previously banned because of a spambot? Verified in the logs, and no bans have been issues against you.]
Same IP as through curl, no proxies. I think that's default behavior when a header is missing or something, could be part of spam protection. I get the same message when I curl with and without the host header, so it's definitely not that. Not JS either as I get the same message when I contact the ipnum directly in graphical web browser (without the CEO host header but + all other stuff curl is missing).

Doesn't seem like I am banned indeed, :-) #winning


  • Advertisement
Booking.com

  • Similar Topics
    Replies
    Views
    Last post

Return to “General Chatter”



Who is online

Users browsing this forum: Baidu [Spider], Bing [Bot], Jim Gil and 128 guests