BugZone: Nothing's perfect...
-
- Site Admin
- Posts: 4193
- Joined: Fri May 02, 2014 8:05 pm
- Reputation: 17
Re: BugZone: Nothing's perfect...
Yeah, sadly 2 of the key shortcomings of the messaging system in PHPBB.BOFH wrote:Navigating to the inbox nulls the "new messages" at top, I would prefer that number to show me my unread PMs. Right now it just indicates if I have navigated to the inbox since receiving my PMs.
EDIT: Even worse. Someone deleting a sent message from their outbox deletes it in my inbox.
Jacket wrote:I've been reluctant to ask this out of fear of embarrassing myself, but how on earth do I embed YT videos? It's maybe because I'm not the most creative person but I tried literally anything that made any sense to me but it always comes out wrong. This is how my grandma must feel when she sits on the computer. Jeez.#
Code: Select all
https://youtube.com/watch?v=5555555555
Where the 5555555555 is the video ID from youtube. For example, in the YT URL: https://www.youtube.com/watch?v=GXXp7uh27_E it would be the GXXp7uh27_E part.
Everything after the v= and before any & symbols. After the ? in a URL what you have is a bunch of variable names and their values, in this case v (video) is equal to GXXp7uh27_E. & symbols are how this list are joined together, like so:
Code: Select all
https://www.youtube.com/watch?v=GXXp7uh27_E&feature=player_detailpage
Re: BugZone: Nothing's perfect...
I'll be damned. It actually worked. Thanks man.
Bei der Weiterbildung; in der Todeszone.
-
- Site Admin
- Posts: 4193
- Joined: Fri May 02, 2014 8:05 pm
- Reputation: 17
Re: BugZone: Nothing's perfect...
[bows]
Pleasure to serve.
Pleasure to serve.
- StroppyChops
- The Missionary Man
- Posts: 10598
- Joined: Tue May 06, 2014 11:24 am
- Reputation: 1032
Re: BugZone: Nothing's perfect...
Jacket learns a new digital skill to post Harry B. That is (genuinely) brilliant.
Bodge: This ain't Kansas, and the neighbours ate Toto!
Re: De-anonymizing CEO users
I am bumping this with the reason that we can increase the severity of this vulnerability.BOFH wrote:When I acquired my avatar I noticed that this forum installation only lets you set remote avatar URIs instead of direct file uploads. This enables a very easy way to de-anonymize your users, simply by pointing the avatar to a webserver where access logs can be read and then match access log entry timestamps against post timestamps in threads where the remote avatar is loaded from.
That-other-forum makes it even easier to de-anonymize users since they load avatars into posts listed in the reply form, which this forum installation does not. On this forum one would need to match access log entry timestamps against post timestamps, thus it's still very easy to find the IP address of a poster replying to a thread in which the remote avatar occurs. (Whereas on that-other-forum one could make more accurate findings by matching both timestamps and referrals from requests sent to reply form submission page.) Anybody with their own webserver running can do it.
For example: Avatar fetched at 13:37:01 (remote access log entry) and post being registered on board at 13:37:00 makes it very easy to bind users to IP addresses.
It's unwise to trade minimal disk space and bandwidth saved on 200x200px images for security, just saying. I know it's default in phpBB, but sometimes default functions hurt you: http://archive.hack.lu/2013/dbongard_hacklu_2013.pdf
Save the users, kill remote avatars!
Not only does this function leak the IP addresses of the users via remote sourced avatars, it also leaks the IP number of the server. Everytime an avatar URL is entered the webserver makes a call to the URL to check the dimensions. Ding ding ding, access log bingo!
The current IP number of the server is ###CORRECT###, and thus your Cloudflare DNS protection is void.
Perhaps now this won't be ignored any longer?
Just like I said the last time, this affects that-other-forum, too. Maybe somebody can ping them before somebody pings them. Get it, eh, eh?
Code: Select all
$ curl -i -H "Host: cambodiaexpatsonline.com" ###CORRECT###
HTTP/1.1 200 OK
Date: Sun, 23 Nov 2014 08:23:22 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.5
Set-Cookie: phpbb3_mdhh51_u=; expires=Sat, 23-Nov-2013 08:23:22 GMT; path=/; domain=.cambodiaexpatsonline.com; HttpOnly
Set-Cookie: phpbb3_mdhh51_k=; expires=Sat, 23-Nov-2013 08:23:22 GMT; path=/; domain=.cambodiaexpatsonline.com; HttpOnly
Set-Cookie: phpbb3_mdhh51_sid=; expires=Sat, 23-Nov-2013 08:23:22 GMT; path=/; domain=.cambodiaexpatsonline.com; HttpOnly
Cache-Control: private, no-cache="set-cookie"
Expires: 0
Pragma: no-cache
Vary: Accept-Encoding
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
Re: BugZone: Nothing's perfect...
Oh, gee, really?You have been permanently banned from this board.
Please contact the Board Administrator for more information.
A ban has been issued on your IP address.
-
- Site Admin
- Posts: 4193
- Joined: Fri May 02, 2014 8:05 pm
- Reputation: 17
Re: BugZone: Nothing's perfect...
Man... good point about the pingback for the request. (I changed your posting of the IP... no need to put it right out on the front for any residual attackers while working on the solution.)
Problem is, people uploading files directly to the server creates a legal issue of content hosted on our servers that may be of an illegal nature. If they never posted where we saw the image come up, that could create a situation if someone wanted to set us up. Perhaps the only option is then allowing upload, but forcing mod approval (and so, awareness) of each one.
But this goes deeper than just avatar files... it would then impact any linked images in any posts.
Problem is, people uploading files directly to the server creates a legal issue of content hosted on our servers that may be of an illegal nature. If they never posted where we saw the image come up, that could create a situation if someone wanted to set us up. Perhaps the only option is then allowing upload, but forcing mod approval (and so, awareness) of each one.
But this goes deeper than just avatar files... it would then impact any linked images in any posts.
-
- Site Admin
- Posts: 4193
- Joined: Fri May 02, 2014 8:05 pm
- Reputation: 17
Re: BugZone: Nothing's perfect...
Wait... what!?BOFH wrote:Oh, gee, really?You have been permanently banned from this board.
Please contact the Board Administrator for more information.
A ban has been issued on your IP address.
[Just checked, the IP you made the CURL post from is not in our ban list... did you switch to some proxy service by chance that may have been previously banned because of a spambot? Verified in the logs, and no bans have been issues against you.]
Re: BugZone: Nothing's perfect...
There's no legal issue regarding copyright until you start ignoring DMCA requests. The way most sites handle this is they allow everything seemingly legal until they receive DMCA orders to pull it down, when most sites do and they're fine.OrangeDragon wrote:Man... good point about the pingback for the request.
Problem is, people uploading files directly to the server creates a legal issue of content hosted on our servers that may be of an illegal nature. If they never posted where we saw the image come up, that could create a situation if someone wanted to set us up. Perhaps the only option is then allowing upload, but forcing mod approval (and so, awareness) of each one.
I think you'll be alright.
Same IP as through curl, no proxies. I think that's default behavior when a header is missing or something, could be part of spam protection. I get the same message when I curl with and without the host header, so it's definitely not that. Not JS either as I get the same message when I contact the ipnum directly in graphical web browser (without the CEO host header but + all other stuff curl is missing).OrangeDragon wrote:Wait... what!?
[Just checked, the IP you made the CURL post from is not in our ban list... did you switch to some proxy service by chance that may have been previously banned because of a spambot? Verified in the logs, and no bans have been issues against you.]
Doesn't seem like I am banned indeed, #winning
-
- Similar Topics
- Replies
- Views
- Last post
-
- 3 Replies
- 1987 Views
-
Last post by Yobbo
-
- 0 Replies
- 2120 Views
-
Last post by MrB
-
- 38 Replies
- 7974 Views
-
Last post by Bongmab69
-
- 15 Replies
- 7313 Views
-
Last post by rozzieoz
-
- 2 Replies
- 1196 Views
-
Last post by CEOCambodiaNews
Who is online
Users browsing this forum: Alex, barang_TK, Bluenose, Clutch Cargo, Freightdog, Fridaywithmateo, Google [Bot], Ingvar 7788, Kammekor, khmerhamster, lurcio, Majestic-12 [Bot], NitNoi, Old8404, orussey98, WildAlaskaKen and 741 guests