Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 General Discussions
  #1  
Old 03-16-2014, 02:43 PM
Ua|Eight Ua|Eight is offline
 
Join Date: Sep 2012
Posts: 21
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default [3.X] How to remove image upload URLs?

Example of what I'm talking about;



The reasoning behind this is because I'm trying to mask my forum's true IP with CloudFlare, but with this method: http://www.madleets.com/Thread-Bypas...IP-from-forums , people will be able to get the IP.

On the topic, what other methods do you guys know of within 3.X that would allow somebody to identify the IP? I've covered the SMTP with Amazon SES, but I'm sure there are other methods that I'm still vulnerable to.
Reply With Quote
  #2  
Old 03-16-2014, 11:08 PM
blind-eddie's Avatar
blind-eddie blind-eddie is offline
 
Join Date: Apr 2006
Location: Michigan
Posts: 2,310
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

You can edit permissions to not allow URL images... but that will not have any effect in stopping anyone from getting your IP.
Anyone can ping your site to find the IP.
Reply With Quote
Благодарность от:
ozzy47
  #3  
Old 03-16-2014, 11:09 PM
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Location: USA
Posts: 10,929
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

They could also run a tracert to the site, and get the true IP.
Reply With Quote
  #4  
Old 03-16-2014, 11:18 PM
Ua|Eight Ua|Eight is offline
 
Join Date: Sep 2012
Posts: 21
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by blind-eddie View Post
You can edit permissions to not allow URL images... but that will not have any effect in stopping anyone from getting your IP.
Anyone can ping your site to find the IP.
How would they ping my site and bypass all of the cloudflare masks?

--------------- Added [DATE]1395011999[/DATE] at [TIME]1395011999[/TIME] ---------------

Quote:
Originally Posted by ozzy47 View Post
They could also run a tracert to the site, and get the true IP.
currently, running a traceroute is only showing cloudflare's IPs
Reply With Quote
  #5  
Old 03-16-2014, 11:25 PM
blind-eddie's Avatar
blind-eddie blind-eddie is offline
 
Join Date: Apr 2006
Location: Michigan
Posts: 2,310
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

If that is the case, why worry about the URL images?

They only use one IP for many sites on cloudflare? I have no idea if they do.
Reply With Quote
  #6  
Old 03-16-2014, 11:32 PM
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Location: USA
Posts: 10,929
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Your original IP can still be uncovered.

Many rent-a-DDoS packages will include a Cloudflare resolver feature and there are online resolver tools.

As with any proxy, the attacker can also trace it back via FTP and MX subdomains (which are not handled by CF proxy)

Now saying that, it may still be a good idea to hide your IP through Cloudfare, if you are experiencing issues, but don't think one you do, you will be 100% safe.

Quote:
Originally Posted by Ua|Eight View Post
currently, running a traceroute is only showing cloudflare's IPs
Well that's a good thing.
Reply With Quote
Благодарность от:
OzzModz
  #7  
Old 03-17-2014, 09:46 AM
Ua|Eight Ua|Eight is offline
 
Join Date: Sep 2012
Posts: 21
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

If I wanted to just remove the option for remote URL's on image uploads in places like signature/avatar/posts, how would I do that? where would I look for the code in vBulletin's files?

--------------- Added [DATE]1395056047[/DATE] at [TIME]1395056047[/TIME] ---------------

Quote:
Originally Posted by ozzy47 View Post
Your original IP can still be uncovered.

Many rent-a-DDoS packages will include a Cloudflare resolver feature and there are online resolver tools.

As with any proxy, the attacker can also trace it back via FTP and MX subdomains (which are not handled by CF proxy)
No resolvers that I've tested (20+) have found the IP, ftp and mx subdomains return 'unknown host'
Reply With Quote
  #8  
Old 03-17-2014, 11:33 PM
MatthewE MatthewE is offline
 
Join Date: Dec 2013
Posts: 6
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

To do so, go to your theme settings in style manager.
I'll walk you through.

Go to your style you want to edit, open 'edit templates';
Find 'Modify User Option Templates'

Within there you'll find 'modifyavatar'
Which if you open and replace ALL the code with;
Code:
<script type="text/javascript">
<!--
function check_yes(objid)
{
	yes = fetch_object(objid);
	if (yes)
	{
		yes.checked = true;
	}
}

<if condition="$show['categories']">
function switch_avatar_category()
{
	selobj = fetch_object("avatar_category_select");
	window.location = "profile.php?$session[sessionurl_js]do=editavatar&categoryid=" + selobj.options[selobj.selectedIndex].value;
}
</if>
//-->
</script>

<form enctype="multipart/form-data" action="profile.php?do=updateavatar" method="post">
<input type="hidden" name="s" value="$session[sessionhash]" />
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
<input type="hidden" name="do" value="updateavatar" />

<table class="tborder" cellpadding="$stylevar[cellpadding]" cellspacing="$stylevar[cellspacing]" border="0" width="100%" align="center">
<tr>
	<td class="tcat">$vbphrase[edit_avatar]</td>
</tr>
<tr>
	<td class="panelsurround" align="center">
	<div class="panel">
		<div style="width:$stylevar[formwidth_usercp]" align="$stylevar[left]">

			<fieldset class="fieldset">
				<legend>$vbphrase[your_current_avatar]</legend>
				<table cellpadding="0" cellspacing="$stylevar[formspacer]" border="0">
				<tr valign="top">
					$currentavatar
					<td class="smallfont">
						<div style="margin-bottom:$stylevar[formspacer]px">$vbphrase[avatars_small_graphics_short]</div>
						<div style="margin-bottom:$stylevar[formspacer]px"><label for="rb_avatarid_no"><input type="radio" name="avatarid" value="-1" id="rb_avatarid_no" $nouseavatarchecked />$vbphrase[do_not_use_an_avatar]</label></div>
						<div>$vbphrase[note_have_custom_avatar_delete]</div>
					</td>
				</tr>
				</table>
			</fieldset>

			<if condition="$show['forumavatars']">
			<fieldset class="fieldset">
				<legend><phrase 1="$categoryname">$vbphrase[predefined_x]</phrase></legend>
				<table cellpadding="0" cellspacing="$stylevar[formspacer]" border="0" width="100%">
				<tr>
					<td colspan="$cols">
						<if condition="$show['categories']">
						$vbphrase[avatar_category]:<br />
						<select name="categoryid" id="avatar_category_select" onchange="switch_avatar_category()">$categorybits</select>
						<input type="button" value="$vbphrase[go]" class="button" onclick="switch_avatar_category()" />
						</if>
					</td>
				</tr>
				<tr>
					<td colspan="$cols">$vbphrase[may_select_predefined_as_avatar]</td>
				</tr>
				$avatarlist
				<if condition="$show['pagenav']">
				<tr valign="bottom">
					<td colspan="$cols">
						$pagenav
					</td>
				</tr>
				</if>
				</table>
			</fieldset>
			</if>

			<if condition="$show['customavatar']">
			<fieldset class="fieldset">
				<legend>$vbphrase[custom_avatar]</legend>

				<div style="padding:$stylevar[formspacer]px">
				<div class="fieldset">

				$vbphrase[have_custom_avatar_want_as_is]<br /><br />

				<label for="avatar_yes"><input type="radio" name="avatarid" value="0" id="avatar_yes" $avatarchecked[0] />$vbphrase[use_custom_avatar]</label><br /><br />

				$vbphrase[may_upload_custom_image_controls]<br /><br />


				<if condition="$show['customavatar_url']">$vbphrase[option_2_upload_image_from_computer]<else />$vbphrase[upload_image_from_computer]</if>
				<div style="padding:$stylevar[formspacer]px">
					<input type="file" class="bginput" name="upload" onchange="check_yes('avatar_yes')" size="45" />
				</div>

				<if condition="$show['maxnote']">
					$maxnote
				</if>

				</div>
				</div>
			</fieldset>
			</if>

		</div>
	</div>

	<div style="margin-top:$stylevar[cellpadding]px">
		<input type="submit" class="button" value="$vbphrase[save_changes]" accesskey="s" />
		<input type="reset" class="button" value="$vbphrase[reset_fields]" accesskey="r" />
	</div>
	</td>
</tr>
</table>

</form>
Then it'll stop that,
Also if you wish to edit profile pictures you can do so by the following, go back to Modify User Options Templates and find 'modifyprofilepic' again removing all the code and replacing it with
Code:
<form enctype="multipart/form-data" action="profile.php?do=updateprofilepic" method="post">
<input type="hidden" name="s" value="$session[sessionhash]" />
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
<input type="hidden" name="do" value="updateprofilepic" />

<table class="tborder" cellpadding="$stylevar[cellpadding]" cellspacing="$stylevar[cellspacing]" border="0" width="100%" align="center">
<tr>
	<td class="tcat" colspan="2">$vbphrase[edit_profile_picture]</td>
</tr>
<tr>
	<td class="panelsurround" align="center">
	<div class="panel">
		<div style="width:$stylevar[formwidth_usercp]" align="$stylevar[left]">

			<fieldset class="fieldset">
				<legend>$vbphrase[your_current_profile_picture]</legend>
				<table cellpadding="0" cellspacing="$stylevar[formspacer]" border="0">
				<tr valign="top">
					<if condition="!$show['profilepic']">
					<td class="alt1" style="border:1px inset; padding:$stylevar[cellpadding]px">
					<span class="smallfont">$vbphrase[no_profile_picture]</span>
					</td>
					<else />
						<td class="smallfont">
						<img src="$bbuserinfo[profileurl]" alt="$vbphrase[your_profile_picture]"  border="0" />
						</td>
					</if>
					<td class="smallfont">
						<div style="margin-bottom:$stylevar[formspacer]px">$vbphrase[profile_picture_desc]</div>
						<if condition="$show['profilepic']"><div style="margin-bottom:$stylevar[formspacer]px"><label for="profilepic"><input type="checkbox" name="deleteprofilepic" value="1" id="profilepic" />$vbphrase[delete_current_image]</label></div></if>
					</td>
				</tr>
				</table>
			</fieldset>


			<fieldset class="fieldset">
				<legend>$vbphrase[custom_profile_picture]</legend>

				<div style="padding:$stylevar[formspacer]px">
				<div class="fieldset">

				$vbphrase[may_upload_custom_image_controls]<br /><br />

				<if condition="$show['profilepic_url']">$vbphrase[option_2_upload_image_from_computer]<else />$vbphrase[upload_image_from_computer]</if>
				<div style="padding:$stylevar[formspacer]px">
					<input type="file" class="bginput" name="upload" size="45" />
					<input type="hidden" name="MAX_FILE_SIZE" value="$inimaxattach" />
				</div>

				<if condition="$show['maxnote']">
					$maxnote
				</if>

				</div>
				</div>
			</fieldset>

		</div>
	</div>

	<div style="margin-top:$stylevar[cellpadding]px">
		<input type="submit" class="button" value="$vbphrase[save_changes]" accesskey="s" />
		<input type="reset" class="button" value="$vbphrase[reset_fields]" accesskey="r" />
	</div>
	</td>
</tr>
</table>

</form>
Elaborating on Ozzy's post
Quote:
Many rent-a-DDoS packages will include a Cloudflare resolver feature and there are online resolver tools.

As with any proxy, the attacker can also trace it back via FTP and MX subdomains (which are not handled by CF proxy)

Now saying that, it may still be a good idea to hide your IP through Cloudfare, if you are experiencing issues, but don't think one you do, you will be 100% safe.

Originally Posted by Ua|Eight View Post
currently, running a traceroute is only showing cloudflare's IPs
Well that's a good thing.
Not true, if you remove all DNS records apart from A and Cname WWW and filter both through Cloudflare it is impossible to get your site IP, although granted you will need to disable vBulletin mail so that it doesn't send headers, unless you deliver mail through a service like Hotmail or Gmail.
I've managed to hide my IP on many of my forums and they're almost 'DDoS' proof. NO-one has found a way past it yet, I'm glad to say it works.

Any trouble just PM me
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 01:25 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.05092 seconds
  • Memory Usage 2,253KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (2)bbcode_code
  • (5)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (8)post_thanks_box
  • (2)post_thanks_box_bit
  • (8)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (2)post_thanks_postbit
  • (8)post_thanks_postbit_info
  • (8)postbit
  • (8)postbit_onlinestatus
  • (8)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete