TUCoPS :: Web BBS :: etc :: hack7284.htm

ALL forum services with client-set images
Security Advisory for ALL forum services with client-set images 



Hi,

Many widely used Bullitien Board Services and Forum Services allow for
Clients to set images such as avatars and in their signature/post.



Images work by the clients browser going to that address, like it would
for a normal web page except after downloading the file, it tries to
open it as an image.



Many of these services if not all have command functions like delete a
thread in the form of a hyperlink.



A user could copy one of these links to delete his own thread, edit it
so the querystring is for another users post, and post it up as a link
or avatar.



In effect if an admin sees the image or the original user sees it, it
will instantly delete the post as its on the same site no extra login is
needed.



To block this I suggest you edit your service to only accept links that
end in image formats for images before the querystring.



I have tested this many times on a modified version of webwiz forums,
yet delete is about the only thing that works.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH