bluegman991 Posted November 18, 2009 Posted November 18, 2009 well its pretty much the same as the avatar attack u can put a php script in between the or <img> and </img> and put it in their profile or post it in a forum and it will run the script each time the thread/profile is viewed how should we go about fixing this? if this has already been mentioned please direct me to a topic that will help me fix this Quote
Joshua Posted November 18, 2009 Posted November 18, 2009 mysql_real_escape_string the spot where they Input the Data Then the place that the data is Output htmlentities. Secure your scripts and shouldnt have a prob :D Also if you have MTG's Forums they already stop that as the output is secured. Gl Quote
bluegman991 Posted November 18, 2009 Author Posted November 18, 2009 that changes everything to text so it doesnt show wats suppose to be bbcoded Quote
Joshua Posted November 18, 2009 Posted November 18, 2009 This hack goes along the same lines of the display pic hack / session hi-jack. Quote
Joshua Posted November 18, 2009 Posted November 18, 2009 Try using getimagesize :P Validate that it's an image Quote
bluegman991 Posted November 18, 2009 Author Posted November 18, 2009 lol ok will try to fix something up using the get image size Quote
Zero-Affect Posted November 18, 2009 Posted November 18, 2009 lol didn't i post on this about 2 weeks ago... This is old depends on your definition of image hacking really i guess. I did comment on how easily display image is to hack even way more advanced that this method:) im sure you will be enlightened by it. link : Exploits Quote
Joshua Posted November 19, 2009 Posted November 19, 2009 Just the same zero, if you getimagesize even if it's an offsite link, it won't upload, at least it shouldnt. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.