miniBB ® 

miniBB

®
Support Forums
  
 | Start | Register | Search | Statistics | File Bank | Manual |
News miniBB Support Forums / News /  
 

Avatars add-on - still being fixed

 
Author Paul
Lead Developer 
#1 | Posted: 17 Jun 2013 14:04 
The Avatars add-on has been updated today to have a straight function of determining '<?' and '?>' tags inside of the uploaded content. If such code is found, the file is considered as 'malicious' and won't be allowed to upload. Since Avatars usually are small size files, there is quite direct function for determining it, reading the whole size content upon upload.

This should help to prevent so called 'PHP Shell' codes embedded into a picture from being uploaded.

Don't forget there may be other security issues for this add-on:

- disallow GIF from the file types list - it's an outdated format, leading to many security bugs. All pictures could be designed in PNG with all the same functions available for GIF, so there is a replacement for this format, which should be accepted by your users;

- setting $avatarMaxFileSize less than 10 Kb may bring up some extra security, as PHP Shells usually take more space;

- setting $staticAvatarSize=TRUE; (all avatars of the same size) may help in preventing malicious uploads, because usually PHP doesn't determine the file of broken or corrupted images, which PHP Shells usually are.

Take care.

News miniBB Support Forums / News /
 Avatars add-on - still being fixed
 Share Topic's Link

This topic is closed. New replies are not allowed.

 

 
miniBB Support Forums Powered by Forum Software miniBB ® Home  Features  Requirements  Demo  Download  Showcase  Gallery of Arts
Compiler  Premium Extensions  Premium Support  License  Contact Us
Install the Captcha add-on: protect your miniBB-forums from the automated spam and flood.


  ⇑