Major Additions - VB image Hosting

VB Image Hosting Version 1.0.1

This is the port for my hack to vb 3.6.x
check it for vb 3.5.x here

A New installer replaced the old one so you should not face any problems with database

NOTE :
People who were using vbimghost in vb 3.5.x and moved to vb 3.6.0 MAKE sure that you have vbimghost 1.4.1 Since this port will only support upgrading from that ver only
People who do a fresh install use this ver.

Requirements:

1. requires GD 2.0.1 or later (2.0.28 or later is recommended).
2. PHP ver 4.3.x or later (newer ver is better).

Introduction:

What does it do ?

VB Image Hosting is a similar feature to imageshak and photopoket and online free image hosting, but this is for your members. it will allow them to upload and host their images on your servers, you can still manage the permissions and set the number of files for each group.

Main Features:

• Image hosting
• Restrict # of file upload for each group
• Allow/disallow group from upload
• Restrict file uploaded based on file extension, dimensions and size
• Users can manage their uploaded files
• Users can set the view permission for each uploaded images
• Admin can mange all members images
• Admin can set the number of images/users per page.
• Admin can mange images uploaded by the members
• Admin can set the default upload permission
• Thumbnail system admin can turn it on/off.
• Allow multiple uploads.
• Admin can set upload slots for each group
• Admin can recreate thumbnails from admin cp
• Fully using the phrase system.

Time required to install

• 1- 2 min max.

Update instruction :
Just replace the old files with the new ones and import the product file don't forget to select overwrite.

History:

1.0.0:

• inital release contains everytverg in 1.4.1 ver.

1.0.1:

• Fix security bug with delete image.
• fix some minor mysql problems.

Download Tracking:
1.0.0 : 3886


Known Issues:

no known issues.

Screen shscreenshot.zip

screenshot.zip.

NOTE:
before you post any error here :
Set that path to your forums correctly in the vbimghost options.
if you getting the error ""supplied argument is not a valid"
that's because you didn't set the path correctly

And for all the people asking when is the next release it will be in 2007 not this month .. due to some problems in real life ..



URGENT ISSUES:

you may contact me on msn id : waiel[at]waieleid.com
replace [at] with @ ok? -_-

[oatsy]

Sorry, for some reason I was thinking there'd be a change log here to show reasons for updating from 1.3.1 to 1.4.1 or this current version. Just realised 1.3.1 was for VB 3.5 and the changelog is in there ok.

Looks as though one of the mods was indeed to prevent non-image files being uploaded. I'd be grateful if someone could confirm this could well have been my problem but that this current version is safe?

Thanks

[digital3]

Quote:

Originally Posted by flypaper

^You people (or your host) are doing something wrong. It isn't the hack...

Well, It's my server but if you see any reason why I get a blank page after trying to upload images here I am all ears

[digital3]

Never mind I fixed it. The memory limit in php was set too low.

[fly]

Quote:

Originally Posted by oatsy

Had a 3.6.4 forum hacked (as in Turkish hackers, not as in a deliberate VB mod) a couple of days ago with a hack called cmdhack, and there are some signs that it came in through a previous version of Image Hosting - version 1.3.1. I was looking here to see what the most current version is. I see 1.3.1 is outdated but I'm not sure if the recent updates change anything about security (if indeed Image Hosting was the way they got in.

The reason I think Image Hosting may have been the route in is because there were 3 new files appeared in the 'imagehosting' directory at about the time the site was hacked. There should only be image files and an index.html (with nothing in it) in there, but we had a new index file plus 2 php files. Couldn't open any of them by ftp for editing - access denied. We were able to delete the folder and replace it with a backup and the forums are up and running again now once we fixed the problem in the db - see below.

I'm still puzzled about how those files got there though. The Image Hosting feature is set to a) only accept jpg, gif, png, and bmp files. I've tried txt files etc and it won't accept them. b) only trusted members of the forum are enabled on the Image Hosting system - general public don't have permissions. All forums have HTML disabled.

I've disabled the Image Hosting hack from all users for now. I'd appreciate any thoughts on how this might have happened. Can a script be disguised as an image file? Could one of the trusted members have innocently uploaded what he thought was a clean image file but was actually the hacker's script?

I'd like to keep Image Hosting on the site because it's a terrific hack.

What happens with this cmdhack is that as soon as the forums try to load you get redirected straight to a page on the hackers site ('Turkish Hackers blah blah' rubbish).

If you do get caught with it, it's easy to get rid off as long as you have access to phpmyadmin:

Long story short ... the hack changed a couple of fields in the top level publicly accessible forum (the Category in other words). The Title field text was replaced with a refresh command and the description field had the URL details to the hackers page. As soon as the forums load the refresh/redirect command kicks you to the hackers URL after a second or two.

No new pages were added to the site - the 'You've been hacked' page was on the hackers remote site. Easy enough to fix by going into phpmyadmin, listing the 'forum' table and look for the forum that has the wrong info in it. Replace the hackers text with the correct text and off you go. You can't edit it in the admin cp because as soon as you try to list the forums in Forum Manager the redirect kicks in again.

Thanks

Wow. I wonder how files are checked before being uploaded. This is NOT good.

[digital3]

The funny part is that hackers don't even have to check to see who has what mods installed. LOL They just come here, look in these threads and then hammer us .

[Been Told]

Quote:

Originally Posted by digital3

The funny part is that hackers don't even have to check to see who has what mods installed. LOL They just come here, look in these threads and then hammer us .

How can they, if you don't have your site's URL in the profile (which I do not, for that very reason)...

Very nice hack by the way!
But I'm unsure about installing this - maybe the developer can make a statement in regards to what oatsy said? That'd make my decision easier.

[dip1232001]

Quote:

Warning: imagecreatefromjpeg(/home/user/public_html/imagehosting/145e6e6fc5ab1f.jpg) [function.imagecreatefromjpeg]: failed to open stream: No such file or directory in /includes/vbimghost_include.php on line 175

Warning: imagesx(): supplied argument is not a valid Image resource in /includes/vbimghost_include.php on line 176

Warning: imagesy(): supplied argument is not a valid Image resource in /includes/vbimghost_include.php on line 176

Warning: imagecreatetruecolor() [function.imagecreatetruecolor]: Invalid image dimensions in /includes/vbimghost_include.php on line 176

Warning: imagesx(): supplied argument is not a valid Image resource in /includes/vbimghost_include.php on line 177

Warning: imagesy(): supplied argument is not a valid Image resource in /includes/vbimghost_include.php on line 177

Warning: imagecopy(): supplied argument is not a valid Image resource in /includes/vbimghost_include.php on line 177

Warning: imagecolorallocate(): supplied argument is not a valid Image resource in /includes/vbimghost_include.php on line 189

Warning: imagesx(): supplied argument is not a valid Image resource in /includes/vbimghost_include.php on line 198

Warning: imagesy(): supplied argument is not a valid Image resource in /includes/vbimghost_include.php on line 199

Warning: imagestring(): supplied argument is not a valid Image resource in /includes/vbimghost_include.php on line 201

Warning: imagejpeg(): supplied argument is not a valid Image resource in /includes/vbimghost_include.php on line 209

Warning: imagedestroy(): supplied argument is not a valid Image resource in /includes/vbimghost_include.php on line 210

these are the errors i am getting though the images are uploading ....and it happened when i edit the setting of the image host and uploaded i just increased the dimention and the image size.....

[Merriweather]

Quote:

Originally Posted by Been Told

But I'm unsure about installing this - maybe the developer can make a statement in regards to what oatsy said? That'd make my decision easier.

The developer has not posted since early December 2006 and has ignored a PM I sent for support on this mod. My guess is that it is no longer supported.

Without knowing what file the hackers used and how the files got there, I think it's unfair to assume it was the cause of this mod, though I also respect the need for clarification on the mod's security.

I have tested my personal installation of this mod and am not able to upload a .php, .html or .htaccess file.

My guess is that the hackers hit oatsey some other way, and that the folder holding oatsey's hosted images has been CHMODED to 777 (all permissions to all groups) which in itself is a security risk. You're better off using 755. On a shared server, nothing should ever be world-writable with mode 666 or 777. Doing so can potentially allows other users of the server to change your files. A hacker may have uploaded a bona-fide image file through the mod and then hacked the file through the server, which is not a problem with the mod itself.

Of course, I have no proof of this, but in my experience, you cannot use this mod to upload anything other than images.

[EvilLestat]

QUITE nice. Thank you VERY much for such an excellet hack.

This has made my forums very happy.

[OffRoadManiac]

will this work with 3.6.5?