Thread: AnyMedia BBCode for 3.5.x
View Single Post
  #1511  
Old 08-26-2006, 11:16 PM
G_Man G_Man is offline
 
Join Date: Feb 2006
Location: Washington State
Posts: 264
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by jeremycs
There are definitely some security issues to consider when using this module.

#1: Think strongly about allowing macromedia files to be one of the file types that are allowed to play. (ie .swf and the other 2 in that row). It's very easy for someone to construct a .swf that will redirect your member to a url of the .swf authors choosing. Perhaps the site they redirect them to looks just like YOUR sites login page? Making the user think they are logged out and they need to log in again. But instead, the flash author harvests their password & logs them in to your board as if nothing happened.

#2: As mysticales says above, and I have said, and someone else originally said in this thread... there is potential for per-thread denial of service attacks. The attacker would just need to make a few posts and autoplay 20-30 large files.

Suggested fixes:

For #1: There's no fix really, unless your server pulls the submitted .swf or flash file on submission, scans it for anything you consider malicious, and then hosts it locally. Scanning a hotlinked .swf & leaving it that way would do no good because the person could just change the .swf file to something malicious later.

Btw, I'm think the same goes for certain windows media files as well... .asf and .asx I believe.

For #2: Add options to limit things like:

- The number of media tags a user can enter per day
- The number of media tag allowed per thread

And most importantly:

Ignore user-submitted autoplay? (YES) / NO

Because of concerns like this only Admin/Mods are even allowed to use this on my forum. Still a wonderful addition to the forum though.
Reply With Quote
 
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.02030 seconds
  • Memory Usage 1,768KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD_SHOWPOST
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_quote
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_box
  • (1)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit_info
  • (1)postbit
  • (1)postbit_onlinestatus
  • (1)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • reputationlevel
  • showthread
Included Files:
  • ./showpost.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showpost_start
  • bbcode_fetch_tags
  • bbcode_create
  • postbit_factory
  • showpost_post
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • showpost_complete