Bugtraqmailing list archives
phpBB 2.0.17 remote avatar size bug
From: SmOk3 <smok3f00 () gmail com>
Date: Tue, 20 Sep 2005 11:56:07 +0100
Title: phpBB remote avatar size bugSoftware: phpBB 2.0.17 (and maybe prior versions)Discovered by: David Sopas Ferreira < david at systemsecure dot org >Original link:http://www.systemsecure.org/ssforum/viewtopic.php?t=272» Email from phpBB «Your report "Avatar size" has been closed because your reported issue isinvalid.Classifying a report as invalid can have various reasons, most of the timethe report is incomplete.If you think your report has been handled incorrecly, please submitanother report athttp://www.phpbb.com/security/index.php.Comment added by team member:This isn't a security problem. You can do the same thing with a standardwebpage. As for checking remote avatar size, there are several inheritproblems with that, which I won't detail here. As this isn't a securityproblem, closing.» End Of Mail - «» My personnal opinion:I think this is a minor security problem. A malicious user can use larger images(for example: 1280px - 1024px) to almost damage the entire view of atopic. This, tobe done, has to have Remote Avatar selected.So, if the admins don't consider this a minor security problem, whatis it? A "special"feature?I don't want to criticize the phpBB coders, but why is it dificult tocheck out the sizeof a image and telling the user that that size of image it's notpossible, or even block thesize on the viewtopic table, something like that.» Possible solution:Disable remote avatar or just dig in the code to set the image size you want.
Current thread:
- phpBB 2.0.17 remote avatar size bugSmOk3 (Sep 20)
- RE: phpBB 2.0.17 remote avatar size bugSean Sullivan (Sep 20)
- Re: phpBB 2.0.17 remote avatar size bugPeter Kieser (Sep 21)