Thread: AnyMedia BBCode for 3.5.x
View Single Post
  #1510  
Old 08-26-2006, 04:41 PM
jeremycs jeremycs is offline
 
Join Date: Jul 2004
Posts: 26
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by Mysticales
My concern is.. I am not secure about using this.. seems users could spam flash players all over a thread.. =/ Wonder what everyone does to secure this.


There are definitely some security issues to consider when using this module.

#1: Think strongly about allowing macromedia files to be one of the file types that are allowed to play. (ie .swf and the other 2 in that row). It's very easy for someone to construct a .swf that will redirect your member to a url of the .swf authors choosing. Perhaps the site they redirect them to looks just like YOUR sites login page? Making the user think they are logged out and they need to log in again. But instead, the flash author harvests their password & logs them in to your board as if nothing happened.

#2: As mysticales says above, and I have said, and someone else originally said in this thread... there is potential for per-thread denial of service attacks. The attacker would just need to make a few posts and autoplay 20-30 large files.

Suggested fixes:

For #1: There's no fix really, unless your server pulls the submitted .swf or flash file on submission, scans it for anything you consider malicious, and then hosts it locally. Scanning a hotlinked .swf & leaving it that way would do no good because the person could just change the .swf file to something malicious later.

Btw, I'm think the same goes for certain windows media files as well... .asf and .asx I believe.

For #2: Add options to limit things like:

- The number of media tags a user can enter per day
- The number of media tag allowed per thread

And most importantly:

Ignore user-submitted autoplay? (YES) / NO
Reply With Quote
 
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01074 seconds
  • Memory Usage 1,766KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD_SHOWPOST
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_quote
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_box
  • (1)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit_info
  • (1)postbit
  • (1)postbit_onlinestatus
  • (1)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • reputationlevel
  • showthread
Included Files:
  • ./showpost.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showpost_start
  • bbcode_fetch_tags
  • bbcode_create
  • postbit_factory
  • showpost_post
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • showpost_complete