BOFH wrote:Navigating to the inbox nulls the "new messages" at top, I would prefer that number to show me my unread PMs. Right now it just indicates if I have navigated to the inbox since receiving my PMs.

EDIT: Even worse. Someone deleting a sent message from their outbox deletes it in my inbox.

Jacket wrote:I've been reluctant to ask this out of fear of embarrassing myself, but how on earth do I embed YT videos? It's maybe because I'm not the most creative person but I tried literally anything that made any sense to me but it always comes out wrong. This is how my grandma must feel when she sits on the computer. Jeez.#

https://youtube.com/watch?v=5555555555
Where the 5555555555 is the video ID from youtube.  For example, in the YT URL: https://www.youtube.com/watch?v=GXXp7uh27_E it would be the GXXp7uh27_E part.

https://www.youtube.com/watch?v=GXXp7uh27_E&feature=player_detailpage

BOFH wrote:When I acquired my avatar I noticed that this forum installation only lets you set remote avatar URIs instead of direct file uploads. This enables a very easy way to de-anonymize your users, simply by pointing the avatar to a webserver where access logs can be read and then match access log entry timestamps against post timestamps in threads where the remote avatar is loaded from.

That-other-forum makes it even easier to de-anonymize users since they load avatars into posts listed in the reply form, which this forum installation does not. On this forum one would need to match access log entry timestamps against post timestamps, thus it's still very easy to find the IP address of a poster replying to a thread in which the remote avatar occurs. (Whereas on that-other-forum one could make more accurate findings by matching both timestamps and referrals from requests sent to reply form submission page.) Anybody with their own webserver running can do it.

For example: Avatar fetched at 13:37:01 (remote access log entry) and post being registered on board at 13:37:00 makes it very easy to bind users to IP addresses.

It's unwise to trade minimal disk space and bandwidth saved on 200x200px images for security, just saying. I know it's default in phpBB, but sometimes default functions hurt you: http://archive.hack.lu/2013/dbongard_hacklu_2013.pdf

Save the users, kill remote avatars!

$ curl -i -H "Host: cambodiaexpatsonline.com" ###CORRECT###
HTTP/1.1 200 OK
Date: Sun, 23 Nov 2014 08:23:22 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.5
Set-Cookie: phpbb3_mdhh51_u=; expires=Sat, 23-Nov-2013 08:23:22 GMT; path=/; domain=.cambodiaexpatsonline.com; HttpOnly
Set-Cookie: phpbb3_mdhh51_k=; expires=Sat, 23-Nov-2013 08:23:22 GMT; path=/; domain=.cambodiaexpatsonline.com; HttpOnly
Set-Cookie: phpbb3_mdhh51_sid=; expires=Sat, 23-Nov-2013 08:23:22 GMT; path=/; domain=.cambodiaexpatsonline.com; HttpOnly
Cache-Control: private, no-cache="set-cookie"
Expires: 0
Pragma: no-cache
Vary: Accept-Encoding
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

You have been permanently banned from this board.

Please contact the Board Administrator for more information.

A ban has been issued on your IP address.

BOFH wrote:

You have been permanently banned from this board.

Please contact the Board Administrator for more information.

A ban has been issued on your IP address.

Oh, gee, really?

OrangeDragon wrote:Man... good point about the pingback for the request.

Problem is, people uploading files directly to the server creates a legal issue of content hosted on our servers that may be of an illegal nature. If they never posted where we saw the image come up, that could create a situation if someone wanted to set us up. Perhaps the only option is then allowing upload, but forcing mod approval (and so, awareness) of each one.

OrangeDragon wrote:Wait... what!?

[Just checked, the IP you made the CURL post from is not in our ban list... did you switch to some proxy service by chance that may have been previously banned because of a spambot? Verified in the logs, and no bans have been issues against you.]