Zeggy Posted March 17, 2010 Share Posted March 17, 2010 $text = preg_replace("/\[img=(.+?)\]/", imagefix($1), $text); function imagefix($s) { if (stripos($s, 'http://') === 0 && stripos($s, 'yoursite.com') === false) return $s; else return ''; } This makes sure every image url begins with 'http://'. I believe this is the only actual solution to the problem after reading this thread for a while now... Any other solutions (checking extension, checking image size) can all be circumvented since the images are hosted off-site. You cannot control how those files are served or how those files will change over time. Checking that the image is hosted externally, not on your website, will make sure they can't just include logout.php (as crimgame's example). The best solution would just be to only allow external images from accepted image hosts. Note: This implementation is really bad, I just wrote it up in like 10 seconds. Obviously this particular implementation means they won't be able to link to images hosted on your site, if you're hosting images or stuff. If anybody wants to improve it then feel free, the concept is more important. Quote Link to comment Share on other sites More sharing options...
Zero-Affect Posted March 17, 2010 Share Posted March 17, 2010 would not something similar to <?php $img = 'http://static.php.net/www.php.net/images/php.gif'; $parseURL = parse_url(trim($img)); $img_host = trim($parseURL[host] ? $parseURL[host] : array_shift(explode('/', $parseURL[path], 2))); $img = ( in_array($img_host, array('imageshack','photobucket')) ) ? $img : 'Broken image.' ; ?> i just knocked that up and didn't test it so im sure im wrong lol but roughly it's if the hostname isn't imageshack or photobucket it will return with 'Broken image.' You could infact add more onto it checking the actual file type and image size... Quote Link to comment Share on other sites More sharing options...
Haunted Dawg Posted March 17, 2010 Share Posted March 17, 2010 I do have to say, my fix was not the correct way. However, i am pulling this script from the engine of DeadlyKillah, it work's, even seanybob has tried as i have let him try and we have managed to get it fixed, and i also have to say, thank's to seany for the help on finding the exploit and directing me to a fix, anyway's. This should work. Im only providing the script, nothing more. if(!preg_match('~http://([\w-]+\.)+[\w-]+(/[\w- ./]*)+\.(?:gif|jpg|jpeg|png|bmp)~i', $picString)) { echo 'Invalid Image!'; $h->endpage(); exit; } Work it out your self's, and yes, it actualy does work. Quote Link to comment Share on other sites More sharing options...
Zero-Affect Posted March 17, 2010 Share Posted March 17, 2010 would http://www.gamename.com/logout.php?x=.gif work... i think if im reading that correctly it would... Quote Link to comment Share on other sites More sharing options...
Dayo Posted March 18, 2010 Share Posted March 18, 2010 you can also use a htaccsess rewrite to make .php .gif Quote Link to comment Share on other sites More sharing options...
Zero-Affect Posted March 18, 2010 Share Posted March 18, 2010 so fail i guess Kyle, the solution i posted anyone checked out? Quote Link to comment Share on other sites More sharing options...
Dayo Posted March 18, 2010 Share Posted March 18, 2010 i will post the solution i use to secure the IMG bbcode tags when it is finaly finished, just found a few bugs with it :s Quote Link to comment Share on other sites More sharing options...
chaoswar4u Posted March 18, 2010 Author Share Posted March 18, 2010 Dayo your a star my friend. Ill look forward to you reply with the fix on it. Quote Link to comment Share on other sites More sharing options...
Djkanna Posted March 19, 2010 Share Posted March 19, 2010 I wonder if this would be any use http://www.ietf.org/rfc/rfc2396.txt Specifically section B [..]"B. Parsing a URI Reference with a Regular Expression As described in Section 4.3, the generic URI syntax is not sufficient to disambiguate the components of some forms of URI. Since the "greedy algorithm" described in that section is identical to the disambiguation method used by POSIX regular expressions, it is natural and commonplace to use a regular expression for parsing the potential four components and fragment identifier of a URI reference. The following line is the regular expression for breaking-down a URI reference into its components. ^(([^:/?#]+):)?(//([^/?#]*))?([^?#]*)(\?([^#]*))?(#(.*))? 12 3 4 5 6 7 8 9 The numbers in the second line above are only to assist readability; they indicate the reference points for each subexpression (i.e., each paired parenthesis). We refer to the value matched for subexpression <n> as $<n>. For example, matching the above expression to" [..] (edit) Quick Research: (?:([^:/?#]+):)?(?://([^/?#]*))?([^?#]*\.(?:jpg|gif|png))(?:\?([^#]*))?(?:#(.*))? ^https?://(?:[a-z\-]+\.)+[a-z]{2,6}(?:/[^/#?]+)+\.(?:jpg|gif|png)$ Source* Quote Link to comment Share on other sites More sharing options...
Dayo Posted March 19, 2010 Share Posted March 19, 2010 i use something like this not sure if this is right (using my iphone to copy/paste and post) $bbcode = array( 0 => '/\[img\](.+?)\[\/img\]/e'); // run it with the e modifier (eval) $html = array( 0 => '"<img src=\'".$this->secureimg($1)."\' alt=\'User submitted image\' title=\'User submitted image\' />"'); ksort($bbcode); ksort($html); $post_bbcode_treated = preg_replace($bbcode, $html, $code); you will need to make a function secureimage() but you could use something like function secureimg($img) { $img2=getimagesize($img); if (@is_array($img2)) { echo $img; return $img; } else { echo $img; return 'images/broken.gif'; } } BTW - this is untested and could be wrong im using my ftp on the go app to copy code and remove some code Quote Link to comment Share on other sites More sharing options...
chaoswar4u Posted March 19, 2010 Author Share Posted March 19, 2010 Unless im doing it wrong Dayo it does not work. Quote Link to comment Share on other sites More sharing options...
Dayo Posted March 19, 2010 Share Posted March 19, 2010 probly when i get home i will fix it what is our error? Quote Link to comment Share on other sites More sharing options...
chaoswar4u Posted March 19, 2010 Author Share Posted March 19, 2010 To me it does not check nothing. It executes the same as normal including none images. Quote Link to comment Share on other sites More sharing options...
chaoswar4u Posted March 20, 2010 Author Share Posted March 20, 2010 Gee we are all screwed nothing works. Not telling me this issue has not been resolved anywhere. TC seems to have it patched. They seem to have it where if its an image it works as normal bit if you enter a .php it kill the bb tag and loads just the text. Any help to anyone to resolve this? Quote Link to comment Share on other sites More sharing options...
CrazyT Posted March 21, 2010 Share Posted March 21, 2010 I saw this post yesterday, and was just laughing at some of you saying can't be done. Yes it can because i had ago, and i have done it my self, and yes it works fine ;) So what should i do, give all of you people a challenge to try and figure it out your self or should i post? Here is a working version: http://86.185.88.98/Tests/Image%20Fix/ By the way this is my local server (localhost), so if it says Page Cannot Be Found, then i put localhost offline. Yes this can be XSS'ed because i haven't done htmlspecialchars(), on this because on your normal mccode parser it does that it's self. So no need for me to add it on here because you will most probably add it into your bbcode function/class. Now I'm going to wait for some of you to reply. :) Quote Link to comment Share on other sites More sharing options...
CJ - Twitch Posted March 21, 2010 Share Posted March 21, 2010 It works but how. xD Quote Link to comment Share on other sites More sharing options...
Dayo Posted April 16, 2010 Share Posted April 16, 2010 i have just posted this in the PHP section today go and check it out :D Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.