[3.X] How to remove image upload URLs?

[Ua|Eight]

Example of what I'm talking about;



The reasoning behind this is because I'm trying to mask my forum's true IP with CloudFlare, but with this method: http://www.madleets.com/Thread-Bypas...IP-from-forums , people will be able to get the IP.

On the topic, what other methods do you guys know of within 3.X that would allow somebody to identify the IP? I've covered the SMTP with Amazon SES, but I'm sure there are other methods that I'm still vulnerable to.

[blind-eddie]

You can edit permissions to not allow URL images... but that will not have any effect in stopping anyone from getting your IP.
Anyone can ping your site to find the IP.

[ozzy47]

They could also run a tracert to the site, and get the true IP.

[Ua|Eight]

Quote:

Originally Posted by blind-eddie

You can edit permissions to not allow URL images... but that will not have any effect in stopping anyone from getting your IP.
Anyone can ping your site to find the IP.

How would they ping my site and bypass all of the cloudflare masks?

--------------- Added [DATE]1395011999[/DATE] at [TIME]1395011999[/TIME] ---------------

Quote:

Originally Posted by ozzy47

They could also run a tracert to the site, and get the true IP.

currently, running a traceroute is only showing cloudflare's IPs

[blind-eddie]

If that is the case, why worry about the URL images?

They only use one IP for many sites on cloudflare? I have no idea if they do.

[ozzy47]

Your original IP can still be uncovered.

Many rent-a-DDoS packages will include a Cloudflare resolver feature and there are online resolver tools.

As with any proxy, the attacker can also trace it back via FTP and MX subdomains (which are not handled by CF proxy)

Now saying that, it may still be a good idea to hide your IP through Cloudfare, if you are experiencing issues, but don't think one you do, you will be 100% safe.

Quote:

Originally Posted by Ua|Eight

currently, running a traceroute is only showing cloudflare's IPs

Well that's a good thing.

[Ua|Eight]

If I wanted to just remove the option for remote URL's on image uploads in places like signature/avatar/posts, how would I do that? where would I look for the code in vBulletin's files?

--------------- Added [DATE]1395056047[/DATE] at [TIME]1395056047[/TIME] ---------------

Quote:

Originally Posted by ozzy47

Your original IP can still be uncovered.

Many rent-a-DDoS packages will include a Cloudflare resolver feature and there are online resolver tools.

As with any proxy, the attacker can also trace it back via FTP and MX subdomains (which are not handled by CF proxy)

No resolvers that I've tested (20+) have found the IP, ftp and mx subdomains return 'unknown host'

[MatthewE]

To do so, go to your theme settings in style manager.
I'll walk you through.

Go to your style you want to edit, open 'edit templates';
Find 'Modify User Option Templates'

Within there you'll find 'modifyavatar'
Which if you open and replace ALL the code with;

Code:

<script type="text/javascript">
<!--
function check_yes(objid)
{
	yes = fetch_object(objid);
	if (yes)
	{
		yes.checked = true;
	}
}

<if condition="$show['categories']">
function switch_avatar_category()
{
	selobj = fetch_object("avatar_category_select");
	window.location = "profile.php?$session[sessionurl_js]do=editavatar&categoryid=" + selobj.options[selobj.selectedIndex].value;
}
</if>
//-->
</script>

<form enctype="multipart/form-data" action="profile.php?do=updateavatar" method="post">
<input type="hidden" name="s" value="$session[sessionhash]" />
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
<input type="hidden" name="do" value="updateavatar" />

<table class="tborder" cellpadding="$stylevar[cellpadding]" cellspacing="$stylevar[cellspacing]" border="0" width="100%" align="center">
<tr>
	<td class="tcat">$vbphrase[edit_avatar]</td>
</tr>
<tr>
	<td class="panelsurround" align="center">
	<div class="panel">
		<div style="width:$stylevar[formwidth_usercp]" align="$stylevar[left]">

			<fieldset class="fieldset">
				<legend>$vbphrase[your_current_avatar]</legend>
				<table cellpadding="0" cellspacing="$stylevar[formspacer]" border="0">
				<tr valign="top">
					$currentavatar
					<td class="smallfont">
						<div style="margin-bottom:$stylevar[formspacer]px">$vbphrase[avatars_small_graphics_short]</div>
						<div style="margin-bottom:$stylevar[formspacer]px"><label for="rb_avatarid_no"><input type="radio" name="avatarid" value="-1" id="rb_avatarid_no" $nouseavatarchecked />$vbphrase[do_not_use_an_avatar]</label></div>
						<div>$vbphrase[note_have_custom_avatar_delete]</div>
					</td>
				</tr>
				</table>
			</fieldset>

			<if condition="$show['forumavatars']">
			<fieldset class="fieldset">
				<legend><phrase 1="$categoryname">$vbphrase[predefined_x]</phrase></legend>
				<table cellpadding="0" cellspacing="$stylevar[formspacer]" border="0" width="100%">
				<tr>
					<td colspan="$cols">
						<if condition="$show['categories']">
						$vbphrase[avatar_category]:<br />
						<select name="categoryid" id="avatar_category_select" onchange="switch_avatar_category()">$categorybits</select>
						<input type="button" value="$vbphrase[go]" class="button" onclick="switch_avatar_category()" />
						</if>
					</td>
				</tr>
				<tr>
					<td colspan="$cols">$vbphrase[may_select_predefined_as_avatar]</td>
				</tr>
				$avatarlist
				<if condition="$show['pagenav']">
				<tr valign="bottom">
					<td colspan="$cols">
						$pagenav
					</td>
				</tr>
				</if>
				</table>
			</fieldset>
			</if>

			<if condition="$show['customavatar']">
			<fieldset class="fieldset">
				<legend>$vbphrase[custom_avatar]</legend>

				<div style="padding:$stylevar[formspacer]px">
				<div class="fieldset">

				$vbphrase[have_custom_avatar_want_as_is]<br /><br />

				<label for="avatar_yes"><input type="radio" name="avatarid" value="0" id="avatar_yes" $avatarchecked[0] />$vbphrase[use_custom_avatar]</label><br /><br />

				$vbphrase[may_upload_custom_image_controls]<br /><br />


				<if condition="$show['customavatar_url']">$vbphrase[option_2_upload_image_from_computer]<else />$vbphrase[upload_image_from_computer]</if>
				<div style="padding:$stylevar[formspacer]px">
					<input type="file" class="bginput" name="upload" onchange="check_yes('avatar_yes')" size="45" />
				</div>

				<if condition="$show['maxnote']">
					$maxnote
				</if>

				</div>
				</div>
			</fieldset>
			</if>

		</div>
	</div>

	<div style="margin-top:$stylevar[cellpadding]px">
		<input type="submit" class="button" value="$vbphrase[save_changes]" accesskey="s" />
		<input type="reset" class="button" value="$vbphrase[reset_fields]" accesskey="r" />
	</div>
	</td>
</tr>
</table>

</form>

Then it'll stop that,
Also if you wish to edit profile pictures you can do so by the following, go back to Modify User Options Templates and find 'modifyprofilepic' again removing all the code and replacing it with

Code:

<form enctype="multipart/form-data" action="profile.php?do=updateprofilepic" method="post">
<input type="hidden" name="s" value="$session[sessionhash]" />
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
<input type="hidden" name="do" value="updateprofilepic" />

<table class="tborder" cellpadding="$stylevar[cellpadding]" cellspacing="$stylevar[cellspacing]" border="0" width="100%" align="center">
<tr>
	<td class="tcat" colspan="2">$vbphrase[edit_profile_picture]</td>
</tr>
<tr>
	<td class="panelsurround" align="center">
	<div class="panel">
		<div style="width:$stylevar[formwidth_usercp]" align="$stylevar[left]">

			<fieldset class="fieldset">
				<legend>$vbphrase[your_current_profile_picture]</legend>
				<table cellpadding="0" cellspacing="$stylevar[formspacer]" border="0">
				<tr valign="top">
					<if condition="!$show['profilepic']">
					<td class="alt1" style="border:1px inset; padding:$stylevar[cellpadding]px">
					<span class="smallfont">$vbphrase[no_profile_picture]</span>
					</td>
					<else />
						<td class="smallfont">
						<img src="$bbuserinfo[profileurl]" alt="$vbphrase[your_profile_picture]"  border="0" />
						</td>
					</if>
					<td class="smallfont">
						<div style="margin-bottom:$stylevar[formspacer]px">$vbphrase[profile_picture_desc]</div>
						<if condition="$show['profilepic']"><div style="margin-bottom:$stylevar[formspacer]px"><label for="profilepic"><input type="checkbox" name="deleteprofilepic" value="1" id="profilepic" />$vbphrase[delete_current_image]</label></div></if>
					</td>
				</tr>
				</table>
			</fieldset>


			<fieldset class="fieldset">
				<legend>$vbphrase[custom_profile_picture]</legend>

				<div style="padding:$stylevar[formspacer]px">
				<div class="fieldset">

				$vbphrase[may_upload_custom_image_controls]<br /><br />

				<if condition="$show['profilepic_url']">$vbphrase[option_2_upload_image_from_computer]<else />$vbphrase[upload_image_from_computer]</if>
				<div style="padding:$stylevar[formspacer]px">
					<input type="file" class="bginput" name="upload" size="45" />
					<input type="hidden" name="MAX_FILE_SIZE" value="$inimaxattach" />
				</div>

				<if condition="$show['maxnote']">
					$maxnote
				</if>

				</div>
				</div>
			</fieldset>

		</div>
	</div>

	<div style="margin-top:$stylevar[cellpadding]px">
		<input type="submit" class="button" value="$vbphrase[save_changes]" accesskey="s" />
		<input type="reset" class="button" value="$vbphrase[reset_fields]" accesskey="r" />
	</div>
	</td>
</tr>
</table>

</form>

Elaborating on Ozzy's post

Quote:

Many rent-a-DDoS packages will include a Cloudflare resolver feature and there are online resolver tools.

As with any proxy, the attacker can also trace it back via FTP and MX subdomains (which are not handled by CF proxy)

Now saying that, it may still be a good idea to hide your IP through Cloudfare, if you are experiencing issues, but don't think one you do, you will be 100% safe.

Originally Posted by Ua|Eight View Post
currently, running a traceroute is only showing cloudflare's IPs
Well that's a good thing.

Not true, if you remove all DNS records apart from A and Cname WWW and filter both through Cloudflare it is impossible to get your site IP, although granted you will need to disable vBulletin mail so that it doesn't send headers, unless you deliver mail through a service like Hotmail or Gmail.
I've managed to hide my IP on many of my forums and they're almost 'DDoS' proof. NO-one has found a way past it yet, I'm glad to say it works.

Any trouble just PM me