miniBB ® 

miniBB

®
Support Forums
  
 | Start | Register | Search | Statistics | File Bank | Manual |
News miniBB Support Forums / News /  
 

Avatars add-on updated: more security and flexibility

 
Author Paul
Lead Developer 
#1 | Posted: 20 Mar 2013 17:33 
Avatars add-on for miniBB has been recently updated to the newer version, which now avoids .mbb extension.
The uploaded pictures will be saved with the original, pre-defined mime-type extension, which for avatars preferrably should be either jpg, gif, or png.

It became obsolete to have '.mbb' extension for picture files, as it may be associated with ManaBook Software extension or Kodak EasyShare Data File. It is even more dangerous, if such extension is not within the associated server's mime-type extensions. For example, on Apache servers, it's not pre-defined in myme.types configuration.

The primary configuration change (under addon_avatar_options.php) is that now $availableTypes is being renamed to $avatarAvailableTypes, and it is an associated array of all possible mime-types to upload and their defined extensions. In most cases, you should not change this array from default.

$avatarDir now will contain the full path to the avatars folder. The script will no longer try to create this folder, if it doesn't exist. It should be purely created by the person who installs this add-on, and set the proper file permissions for writing. That also means, you could create a folder named other than 'avatars'. Up to you.

$maxFileSize is now being renamed to $avatarMaxFileSize, and has 10 Kbytes by default.

Steps to upgrade this add-on from your older version are:

- replace addon_avatar.php with the newer copy from the distributed package;

- from this package, take the fresh version of bb_plugins.code.txt, and replace the Avatars code in your bb_plugins.php;

- modify/rename all settings like described above and like they come by default in addon_avatar_options.php (or just replace this file);

- test the add-on for some account, trying to upload an avatar, or choose from pre-defined list; also make sure after being deleted, the avatar's file disappears from avatars folder.

If it all does work in the new mode, now it's the time to convert earlier members avatars, which were uploaded with .mbb extension.

For this, you might use the tool I've programmed, called addon_avatars_mbb_convert.php. After downloading, unzip it to the forum's folder, and point your browser to it. If you would like to run it in the test mode first, set $testMode=TRUE; inside of this script at the very top. This will allow just to see what kind of uploaded avatars you have, and what will happen with them after you run the conversion script.

Afterall, set $testMode=FALSE; and execute this script via browser's URL. It should convert all .mbb avatars to their proper extensions, and update users database information.

Check how it worked for older avatars. Do you see them on page? Click some avatar by the right mouse button and choose "Properties" for it. If it has some original picture extension, i.e. jpg, gif or png - congratulations! You did everything properly. Now your Avatars add-on should be more secured and reliable.

Report in this thread, if you will have difficulties with this update.

Thank you for paying attention to your forums Security.

Author Prince
Partaker
#2 | Posted: 20 Mar 2013 22:53 
Thanks for the update! I will update it soon, but how about file-upload-attach? it has .mbb also? Could that change also?

Author Paul
Lead Developer 
#3 | Posted: 21 Mar 2013 10:05 
I am going to work on File Attachments, File Bank and Photo Album in the nearest future, when I have time for it. I liked the mime-types/extensions definition schema implemented in Avatars and will bring it to these add-ons as well. But this is for later. These add-ons are so far secured from the other end - providing the list of *non-allowed* extensions. This also works.

.mbb in File Attachments is a bit of another story. It could be installed only if you have closed files content, i.e. files could be shown to registered and logged members only. In that case, the script reads through the file instead of just providing a hyperlink to it, and all files of the common extension could be disabled from easy locating them in the browser's bar via .htaccess in Apache. Actually, it could be *any* extension; but if you run this add-on in such mode, it supposes disabling of this file type from the direct viewing. So .mbb file can not be browser anyway. In the Avatars add-on's case, these files were all available to public, thus with the wrong mime-type.

Author Jaime
Partaker
#4 | Posted: 21 Mar 2013 14:03 
Paul:
Report in this thread, if you will have difficulties with this update.
I performed this update as described and had no problems on my side.

Author Prince
Partaker
#5 | Posted: 21 Mar 2013 22:44 
For that case you said file attachment is good for registering users!

Author Paul
Lead Developer 
#6 | Posted: 22 Mar 2013 10:24 
Prince:
For that case you said file attachment is good for registering users!
Sorry, I didn't understand what do you mean by this.

Author Prince
Partaker
#7 | Posted: 22 Mar 2013 14:49 
I meant if someone using "closed files content" so that's a good option to have .mbb file if it doesn't risk the security of site. :)

Author Paul
Lead Developer 
#8 | Posted: 22 Mar 2013 19:47 
The only security risk you may have regarding unknown file types (let's say for Apache server) is that this file type may be considered as a text-plain mime type. In that case, the intrusion may be adding some snippets of PHP code to the end of a binary file letting it to execute. Apache has strange behaviors regarding unknown file types; they do not work always, but in some cases of earlier server versions they may work. But if you have extra rules in .htaccess, as provided in File Attachments add-on's README, which would disable straight downloading or viewing such type extension files, that would cover all. So there's no security risk if such files can't be shown straight.

Also, it's an extra security protection to add unknown file types to the Apache configuration, listing their extensions in 'application/octet-stream' section of mime.types config file. For example, you may add .mbb to this config, and this will cover absolutely all issues. Even if you have no protection in .htaccess regarding such files download/view, Apache will always force them to download instead of viewing/executing. But common, this is only for dedicated servers :) If you are allowed to add this to mime.types, you could be allowed to create a .htaccess rule for it.

Author Prince
Partaker
#9 | Posted: 23 Mar 2013 11:53 
Thanks a lot for explanations and I will do that :)

Author Jaime
Partaker
#10 | Posted: 24 Mar 2013 16:30 
Paul:
Avatars add-on for miniBB has been recently updated to the newer version, which now avoids .mbb extension.
The uploaded pictures will be saved with the original, pre-defined mime-type extension, which for avatars preferrably should be either jpg, gif, or png.
Now you must update Profiles Checker add-on - This Add-on is still working with .mbb extension for the avatar-part :)

Author Paul
Lead Developer 
#11 | Posted: 25 Mar 2013 12:31 
Jaime:
Now you must update Profiles Checker add-on - This Add-on is still working with .mbb extension for the avatar-part
Thanks, I did it - updated now are both Avatars add-on and Profiles Checker add-on (for catching the Avatars change action - earlier it didn't catch it), you may try on your end.

If you note some of the other add-ons using .mbb from the earlier Avatars version, let me know :)

Author Jaime
Partaker
#12 | Posted: 25 Mar 2013 15:48 
Paul:
you may try on your end
It's Done :) Thanks for the quick response.

News miniBB Support Forums / News /
 Avatars add-on updated: more security and flexibility
 Share Topic's Link

This topic is closed. New replies are not allowed.

 

 
miniBB Support Forums Powered by Forum Software miniBB ® Home  Features  Requirements  Demo  Download  Showcase  Gallery of Arts
Compiler  Premium Extensions  Premium Support  License  Contact Us
Check out the Captcha add-on: protect your miniBB-forums from the automated spam and flood.


  ⇑