Title: Removal Of Forum Upload Feature?
Adrninistrator - January 11, 2011 04:16 PM (GMT)
Theres a security risk involved with a feature that was never supposed to have been enabled on these forums, but some of our members have used the feature already. This feature allows members to upload images onto the forums themselves. The problem might be that an indiviudaul could upload a flash file as an image file, and the flash program would run when a member loaded up a page of MOD with the flash file as an avatar, tricking the computer to also run a malicious program. Im still looking into it, but I will probably have to disable it, and give the members who have akready used this feature my apology and gratitude for their understanding.
However, I dont know if disabeling this would mean that a user with malicious intent couldnt simply do the same thing on another image host site, so it may be futile, and I might just leave the feature accessible if these forums do not automaticaly block flash script from links coming from other sites. In the meantime, I'd appreciate your thoughts on the matter.
Toa Yurikk - January 11, 2011 04:52 PM (GMT)
Egghh. :ph43r: Thats bad.
Would removing it make you not be able to upload pictures into posts? Because if it doesn't you should probably get rid of this problem just to be safe. ;)
Scotus - January 11, 2011 05:36 PM (GMT)
Does that include banners and avatars?
Adrninistrator - January 11, 2011 06:10 PM (GMT)
Im still looking into it, Ive found several articles talking about the risks but I havent found one yet on Invision detailing if their service has already updated to prevent the issue, and if our site requires a manual update or if it was fixed automaticaly. I do know that this has been a known issue for quite a few months now, so I hope they have already taken action. Ive also sent a message to Black Six from BZPower asking if he personaly knows if its an issue, since BZP runs on a version of the forum software from the same company.
Either way, if it does prove to be a security risk, everyones understanding and cooperation would be very much appreciated.
I know avatars can be uploaded to our forum server at this time, I dont know if banners can be too, but if those are apart of the server upload, and it turns out to be a security risk, then it would include those. If it does not pose a risk after all, then Ill try to keep those features up, and even enable the profile image feature which seems to only work with uploaded images.
Update: Still looking into it but Ive just rememberd there a support ticket feature built into the ACP, hopefully theyl respond quickly to put our minds at ease over this.
Adrninistrator - January 12, 2011 11:41 PM (GMT)
According to a reply from Invision's support team, I have an option on the board to disable flash in avatars and forum posts specificaly, and this has been disabled by default, meaning no known flash exploit can work under these current settings. He also pointed out that keeping our browser software up to date will help ensure these exploits are prevented. Another article mentions that Adobe has been encouraging webmasters on all sites using flash too be vigilant in personaly patching these problems from their end, meaning if the website itself hasnt fixed the problem on their end, there could still be problems on those sites.
Also, remember to keep your passwords up to date, try to keep them different on every site and to use information that password crackers cant look up on your profiles or social websites.
For now Im not going to disable the upload feature, and Im going to look into enabeling profile pictures too. It asks me to specify maximum pixel height and width, as well as a maximum size limit in kilibytes, anyone have a recomendation? Im thinking at the very least to make the width 625, but since this is in the profile out of the way where it wont really bug people for being larger...perhaps different dimensions are in order?
Also, I tweaked a couple froile settings, everyone should now be able to add events to the calander, which Ill have to see if anyone can even access.
Solek-Toa of Shadows - January 13, 2011 02:06 AM (GMT)
Almost all of my passwords are the same, unfortunatly, they are my own word, so it will be very, and I mean, VERY hard to crack.
Toa Yurikk - January 13, 2011 06:06 AM (GMT)
| QUOTE (Adrninistrator @ Jan 12 2011, 05:41 PM) |
According to a reply from Invision's support team, I have an option on the board to disable flash in avatars and forum posts specificaly, and this has been disabled by default, meaning no known flash exploit can work under these current settings. He also pointed out that keeping our browser software up to date will help ensure these exploits are prevented. Another article mentions that Adobe has been encouraging webmasters on all sites using flash too be vigilant in personaly patching these problems from their end, meaning if the website itself hasnt fixed the problem on their end, there could still be problems on those sites.
Also, remember to keep your passwords up to date, try to keep them different on every site and to use information that password crackers cant look up on your profiles or social websites.
For now Im not going to disable the upload feature, and Im going to look into enabeling profile pictures too. It asks me to specify maximum pixel height and width, as well as a maximum size limit in kilibytes, anyone have a recomendation? Im thinking at the very least to make the width 625, but since this is in the profile out of the way where it wont really bug people for being larger...perhaps different dimensions are in order?
Also, I tweaked a couple froile settings, everyone should now be able to add events to the calander, which Ill have to see if anyone can even access. |
Thats good that there isn't any eminent danger.
I never use the same password, its always just garbled jiberish. :lol:
Takal - January 13, 2011 06:34 AM (GMT)
I've accessed the calendar multiple times. Never even tried to set a date, though...
