Welcome to Geeklog Saturday, October 19 2019 @ 08:37 pm EDT

Geeklog Forums

GL Mythbusters, Episode 1


Status: offline

Dirk

Site Admin
Admin
Registered: 12/01/02
Posts: 13073
Location:Stuttgart, Germany
grumpy
Dear "Headless", please learn to read or simply refuse to comment any further ... To quote myself from above:
2) Regarding the image upload: As Markus said, it's simply that this was never considered important enough to do anything about it. There is no security issue here (at least not more than with the upload of userphotos) and I doubt anyone from the core team ever made such a statement.

And, again, the quote from Blaine was about something else - but I already wrote that above, too.

bye, Dirk

Headless

Anonymous
Shall this go on and on until I am proved liar Smile

To quote from Blaine from the same post :
There is for example an exploit where a user may upload HTML code that is embedded in a image file and could execute a cross site script.
An user named Lopez asked ( to which there was no reply )
Thanks Blaine. Actually core GL does NOT always filter this out, for example
the profile page allows user photo upload. By the same logic as yours an user
may use this for exploit !!
Thus it is not quite logical to me as to what you say. BTW how does gallery
scripts handle the security issue then ??


That keeps you wondering : what ! HTML code embedded in an image file ! and how it can be embedded in an image attached with a story and not with a profile 8)

Status: offline

Dirk

Site Admin
Admin
Registered: 12/01/02
Posts: 13073
Location:Stuttgart, Germany
angelic
This is yet another issue (and one that I was already hinting at with the "There is no security issue here (at least not more than with the upload of userphotos)" remark above.

You can embed PHP in images. If you then somehow manage to run those images through the PHP interpreter, you have a security issue. But that requires another vulnerability in the software - so as long as you don't have that, PHP in image files is not an issue (I don't think there's a problem with embedded HTML - but I've learned never to say "never" when it comes to security issues ...).

I would be more worried about denial of service-type issues with the image upload in stories (as opposed to the userphoto, of which there is only one and it requires an account). Or someone uploading porn or copyrighted stuff ...

Are we done now or do you have any other quotes that you want to blow completely out of proportion?

bye, Dirk

Status: offline

Dirk

Site Admin
Admin
Registered: 12/01/02
Posts: 13073
Location:Stuttgart, Germany
embarrassed
Headless, your latest posts were rejected as spam due to the use of the word "porno". I have removed that word from our blacklist now. Sorry about that.

I'm reproducing your first rejected post below:

Quote by: Headless

I meant allowing users with account but not giving them any special rights to attach

at least one image with story submission. Copyright icons or porno miniatures or code or whatever can still be uploaded via user photo, since it is after all an image Smile Thus the search for logic in what GL does w.r.t is still on !



I do not think I have blown anything out of proportion and to the core-member who made a post mimicking my name and to others, just to remind that this is a feedback forum.



Whether we are done or not is absolutley the decision of respectable core and registered members.

So cheers and enjoy your sunday 8)


Anonymous
I meant allowing users **with account** but not giving them any special rights to
attach at least one image with story submission. Copyright icons or porno miniatures or code or whatever can still be uploaded via user photo if someone wants so acc to you, since it is after all an image !! Thus the search for logic in what GL does w.r.t is still on !

I do not think I have blown anything **out of proportion ** and to the core-member who made a post mimicking my name and to others, just to remind that this is a **feedback** forum.

Whether we are done or not is absolutley the decision of respectable core and registered members.
So cheers and enjoy your sunday 8)

Status: offline

Dirk

Site Admin
Admin
Registered: 12/01/02
Posts: 13073
Location:Stuttgart, Germany
Quote by:

Thus the search for logic in what GL does w.r.t is still on !


I don't get it. Everything has already been explained to you above - repeatedly and in painstaking detail. And you're wondering why people don't take you seriously or consider you a troll?

bye, Dirk

All times are EDT. The time is now 08:37 pm.

  • Normal Topic
  • Sticky Topic
  • Locked Topic
  • New Post
  • Sticky Topic W/ New Post
  • Locked Topic W/ New Post
  •  View Anonymous Posts
  •  Able to post
  •  Filtered HTML Allowed
  •  Censored Content