miniBB ®  
miniBB Support Forums
 | Forums | Register | Search | Statistics | Manual |
News & Announcements miniBB Support Forums / News & Announcements /   

Avatars add-on - still being fixed

Author Paul
Lead Developer
#1 | Posted: 17 Jun 2013 14:04 | Edited by: Paul 
The Avatars add-on has been updated today to have a straight function of determining '<?' and '?>' tags inside of the uploaded content. If such code is found, the file is considered as 'malicious' and won't be allowed to upload. Since Avatars usually are small size files, there is quite direct function for determining it, reading the whole size content upon upload.

This should help to prevent so called 'PHP Shell' codes embedded into a picture from being uploaded.

Don't forget there may be other security issues for this add-on:

- disallow GIF from the file types list - it's an outdated format, leading to many security bugs. All pictures could be designed in PNG with all the same functions available for GIF, so there is a replacement for this format, which should be accepted by your users;

- setting $avatarMaxFileSize less than 10 Kb may bring up some extra security, as PHP Shells usually take more space;

- setting $staticAvatarSize=TRUE; (all avatars of the same size) may help in preventing malicious uploads, because usually PHP doesn't determine the file of broken or corrupted images, which PHP Shells usually are.

Take care.

News & Announcements miniBB Support Forums / News & Announcements / Avatars add-on - still being fixed Top
This topic is closed. New replies are not allowed.
 
miniBB Support Forums Powered by Forum Software miniBB ® Features  Requirements  Demo  Download  Showcase  Gallery of Arts
Compiler  Premium Extensions  Premium Support  License  Contacts
  Extend your miniBB-forums, attaching the images and files,
get the File and Picture Attachments add-on!
Galleries / Attachments Addon for miniBB