vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   Modification Requests/Questions (Unpaid) (https://vborg.vbsupport.ru/forumdisplay.php?f=112)
-   -   Avoid base64 image insertions (https://vborg.vbsupport.ru/showthread.php?t=308122)

socialvisionsbcn 02-09-2014 09:47 PM
Avoid base64 image insertions
 
Seems like users at my site can post base64 images on posts through the WYSIWYG editor.

Anyone has developed something to avoid this huge data insertions ??

Quote:
[Tue Feb 04 16:52:37 2014] [error] [client 173.245.49.171] (36)File name too long: Cannot map GET /data:image/jpeg;base64,/9j/4AAQSkZJRgABAQAAAQABAAD/2wCEAAkGBhIQDxIQEBIPDw8QDxAPEA8PDw8PDQ8PFBAVFBQQFB IXHCYeFxkjGRQSHy8gIycpLCwsFR4x NTAqNSYrLCkBCQoKDgwOFw8PGikcHhwpLCksKSksKSkpKSkpKS kpKSksKSksKSkpLCkpKSkpKSkpLCwp KSkpLCkpKSksKSwpKf/AABEIALcBEwMBIgACEQEDEQH/xAAcAAABBQEBAQAAAAAAAAAAAAADAAECBAUGBwj/xAA4EAACAQIEAwYDBwMFAQAAAAAAAQIDEQQFEiExQVEGEyJhcZ GBobEHFDJSwdHwQmLhFSMzcoJj/8QAGgEAAgMBAQAAAAAAAAAAAAAAAgMAAQQFBv/EACYRAAICAQQCAQQDAAAAAAAAAAABAhEDBBIhMRNBIhRRYXEFI/D/2gAMAwEAAhEDEQA/AMPQQlAPpBVEcpo6RXlEeEBpBKQhhoPTph1TGootJECKsqZDuy 3KJHSCyxUKZoUoAKES9SiHFgtDOJVr
....
MoiiQhEIeefaBQ01YT/MmvY5J1BCPLa5JZ5HZ0z/rRF1CPeCEZEh4zqke8EIKgSOsQhEoh//Z HTTP/1.1 to file, referer:
http://goo.gl/AXLyqd
They are generating apache errors and I'm afraid they could affect both apache and vb search server performance.

ozzy47 02-09-2014 10:03 PM
I would think the use of the attachment manager would prevent that "image" from even uploading. It should cause an error message that says something like, "not a recognized image format." It also would not be in the format of http://domain.com/filename., it would have to be in [ attach]1234567[/attach].

If it is posted between tags, then you could prevent it by censoring the term base64. Adding that to the censored words list will break the image and cause either nothing to appear in some browsers or a red X to appear in others.

Adrian Schneider 02-10-2014 11:54 PM
I wrote an article about this a few years ago - http://www.syndicatetheory.com/labs/...images-exploit

A plugin is included to show you how to prevent it.

Cheers

ozzy47 02-11-2014 12:08 AM
Excellent read Adrian. :)


All times are GMT. The time now is 06:50 PM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01068 seconds
  • Memory Usage 1,713KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (4)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete