Old 22nd January 2008, 11:35   #1
ryan
not fucked, not quite.
(Forum King)
 
ryan's Avatar
 
Join Date: Feb 2002
Location: Tn
Posts: 8,798
Send a message via AIM to ryan
VB Bug.

ryan is offline   Reply With Quote
Old 22nd January 2008, 16:20   #2
ryan
not fucked, not quite.
(Forum King)
 
ryan's Avatar
 
Join Date: Feb 2002
Location: Tn
Posts: 8,798
Send a message via AIM to ryan
Not photoshopped, by the way.

Last edited by ryan; 22nd January 2008 at 16:41.
ryan is offline   Reply With Quote
Old 23rd January 2008, 11:18   #3
jheriko
Forum King
 
jheriko's Avatar
 
Join Date: Aug 2002
Location: a twist in the fabric of space
Posts: 2,150
Send a message via ICQ to jheriko
So what you saying? Firefox can't render the letter l correctly? I don't get it...

-- Jheriko

'Everything around us can be represented and understood through numbers'
jheriko is offline   Reply With Quote
Old 23rd January 2008, 12:11   #4
ryan
not fucked, not quite.
(Forum King)
 
ryan's Avatar
 
Join Date: Feb 2002
Location: Tn
Posts: 8,798
Send a message via AIM to ryan
Quote:
Originally posted by jheriko
So what you saying? Firefox can't render the letter l correctly? I don't get it...
It has nothing to do with firefox. Notice the size of the avatar?

Like my current avatar, it's 50x55.

The maximum size is 50x50. It's not really a bug, it's more of the way PHP's getimagesize() checks for image (Atleast for GIF images) width and height.

edit: That is from the Winamp forums, I've just setup my own stylesheet.

edit2: Also works with JPG images.
ryan is offline   Reply With Quote
Old 23rd January 2008, 16:16   #5
CraigF
Passionately Apathetic
Administrator
 
CraigF's Avatar
 
Join Date: May 2000
Location: Hell
Posts: 5,435
So you're saying you were able to circumvent the size checks? The only bug i see at the moment is that one dimension of your avatar goes past the limit. But I don't know if thats a bug or due to a partial roll-back of the widescreen avatar code.

CraigF is offline   Reply With Quote
Old 23rd January 2008, 23:42   #6
ryan
not fucked, not quite.
(Forum King)
 
ryan's Avatar
 
Join Date: Feb 2002
Location: Tn
Posts: 8,798
Send a message via AIM to ryan
Quote:
Originally posted by CraigF
So you're saying you were able to circumvent the size checks? The only bug i see at the moment is that one dimension of your avatar goes past the limit. But I don't know if thats a bug or due to a partial roll-back of the widescreen avatar code.
Like I said, it's PHP related. I'm almost certain that VB uses getimagesize() to get the size of the images submitted by the user.

It doesn't actually check the size of the file. It only reads the header of the file. Modifying the file header with a hex editor, you can make the file say it's any size you want.

For example. I took a 1200x1600 transparent GIF image and modified it's header to say it was 50x50. The forum accepted it with no problem at all.

It's not really a bug, I guess. But someone could cause some problems using large images as an avatar.
ryan is offline   Reply With Quote
Old 24th January 2008, 14:57   #7
xzxzzx
Forum King
 
xzxzzx's Avatar
 
Join Date: Aug 2002
Posts: 7,254
Technically it's a security vulnerability.

Freedom of speech is the basic freedom of humanity. When you've lost that, you've lost everything.
1\/\/4y 34|<$p4y 1gp4y 33714y, 0d4y 0uy4y? | Roses are #FF0000; Violets are #0000FF; chown -R ${YOU} ~/base
The DMCA. It really is that bad. : Count for your life.
xzxzzx is offline   Reply With Quote
Old 24th January 2008, 17:27   #8
CraigF
Passionately Apathetic
Administrator
 
CraigF's Avatar
 
Join Date: May 2000
Location: Hell
Posts: 5,435
well, vb does use getimagesize. so, yes, its open to abuse.

but how does that abuse make it a security vuln?

CraigF is offline   Reply With Quote
Old 24th January 2008, 18:01   #9
k_rock923
\m/
(Forum King)
 
k_rock923's Avatar
 
Join Date: Jul 2003
Location: /bin/bash
Posts: 7,850
Send a message via AIM to k_rock923
If nothing else, it means that forum administrators have no method of preventing someone from uploading a huge avatar of a single color and screwing up the page for everyone that views it.

Never underestimate the bandwidth of a station wagon full of tapes hurtling down the highway.
k_rock923 is offline   Reply With Quote
Old 25th January 2008, 03:26   #10
jheriko
Forum King
 
jheriko's Avatar
 
Join Date: Aug 2002
Location: a twist in the fabric of space
Posts: 2,150
Send a message via ICQ to jheriko
the size information must be calculated from something other than the header... or at least some other part of the header. so its not something that can't be worked around. at least if you have unrestricted access to the source and stuff...

reasoning: you need to know at least the width to render the image in the first place (when to start the next row of pixels). if this part of the header is relied on totally then changing it would turn the rendering of the image into a suitable pile of misaligned garbage.

btw, i was at first distracted by the extra long line where the l would be in dateline on the firefox properties box. d'oh! didn't even realise it was winamp forums in the background.

-- Jheriko

'Everything around us can be represented and understood through numbers'
jheriko is offline   Reply With Quote
Old 25th January 2008, 15:28   #11
k_rock923
\m/
(Forum King)
 
k_rock923's Avatar
 
Join Date: Jul 2003
Location: /bin/bash
Posts: 7,850
Send a message via AIM to k_rock923
Well yes, you are of course correct. But, that has nothing to do with the fact that the PHP function only uses the header.

Even though you're right that to render it, something else is used, that doesn't mean much when some dick uploads a 20,000 * 20,000 avatar of a single color that is rendered fine but has header information that can get around the function.

That's one of the most important things to remember in computer security. Even if there's a simple way to work around it, a vulnerability is still a problem until that simple fix has actually been implemented.

Proposing a simple fix or a reason why it shouldn't exist in the first place does not make it go away.

Never underestimate the bandwidth of a station wagon full of tapes hurtling down the highway.
k_rock923 is offline   Reply With Quote
Old 29th January 2008, 17:19   #12
CraigF
Passionately Apathetic
Administrator
 
CraigF's Avatar
 
Join Date: May 2000
Location: Hell
Posts: 5,435
but its not really a security vulnerability. A user would be able to upload an image which would change page layout.

So what?

You can do that now with bbcode's code/php blocks and extra long line length, and admins/mods have the ability to nuke them. Repeat offenses can result in the obvious ban button.

Obviously the reasons why php users header information rather than processing is for performance reasons, remember, it is not just implemented for tiny avatars that only need be checked on upload. So yes, the fix here would be to edit vbulletin to properly load in the image, then imagesx/imagesy to check constraints.

Perhaps its worth submitting that recommendation to jelsoft (assuming that later vbulletin versions dont do so already).

CraigF is offline   Reply With Quote
Old 29th January 2008, 18:14   #13
k_rock923
\m/
(Forum King)
 
k_rock923's Avatar
 
Join Date: Jul 2003
Location: /bin/bash
Posts: 7,850
Send a message via AIM to k_rock923
Regardless, the upload page claims a 50x50 limit while there is clearly not one. That is a bug.

True, moderators can remove the avatar, but why check at all, then? This bug isn't a show stopper, but I don't think that you need to be trivializing it, either.

Never underestimate the bandwidth of a station wagon full of tapes hurtling down the highway.
k_rock923 is offline   Reply With Quote
Old 30th January 2008, 04:43   #14
ryan
not fucked, not quite.
(Forum King)
 
ryan's Avatar
 
Join Date: Feb 2002
Location: Tn
Posts: 8,798
Send a message via AIM to ryan
Quote:
Originally posted by CraigF
but its not really a security vulnerability. A user would be able to upload an image which would change page layout.

So what?

You can do that now with bbcode's code/php blocks and extra long line length, and admins/mods have the ability to nuke them. Repeat offenses can result in the obvious ban button.

Obviously the reasons why php users header information rather than processing is for performance reasons, remember, it is not just implemented for tiny avatars that only need be checked on upload. So yes, the fix here would be to edit vbulletin to properly load in the image, then imagesx/imagesy to check constraints.

Perhaps its worth submitting that recommendation to jelsoft (assuming that later vbulletin versions dont do so already).
It's not much of a difference, but I guess on larger images it would be.

http://www.vague.us/imtest.php

Edit: After some further testing. imagecreatefromgif() doesn't work on gifs with the altered header. It gives an error saying it's not a valid gif.

So I guess there isn't a fix to the problem.

Last edited by ryan; 30th January 2008 at 05:49.
ryan is offline   Reply With Quote
Old 30th January 2008, 12:29   #15
CraigF
Passionately Apathetic
Administrator
 
CraigF's Avatar
 
Join Date: May 2000
Location: Hell
Posts: 5,435
Quote:
Originally posted by k_rock923
Regardless, the upload page claims a 50x50 limit while there is clearly not one. That is a bug.
The bug can only be exercised by one who wishes to manually edit the header of a jpeg file to misrepresent its dimensions.

Which of course leads to an intentional attempt to break the forums, which would be a bannable offense as far as i'm concerned.

I'm not trivialising, I'm just being realistic.

There is nobody to fix the issue on the forums, hence my suggest to verify it still exists in vbulletin and submit to Jelsoft.

CraigF is offline   Reply With Quote
Old 30th January 2008, 16:33   #16
ryan
not fucked, not quite.
(Forum King)
 
ryan's Avatar
 
Join Date: Feb 2002
Location: Tn
Posts: 8,798
Send a message via AIM to ryan
Quote:
Originally posted by CraigF
The bug can only be exercised by one who wishes to manually edit the header of a jpeg file to misrepresent its dimensions.

Which of course leads to an intentional attempt to break the forums, which would be a bannable offense as far as i'm concerned.

I'm not trivialising, I'm just being realistic.

There is nobody to fix the issue on the forums, hence my suggest to verify it still exists in vbulletin and submit to Jelsoft.
Like I said above. I doubt there is a way to fix it. Read my previous post.
ryan is offline   Reply With Quote
Old 30th January 2008, 17:23   #17
CraigF
Passionately Apathetic
Administrator
 
CraigF's Avatar
 
Join Date: May 2000
Location: Hell
Posts: 5,435
Are you saying that the image in your test case is modified? because firefox, and both your imagesize and imagesx/y functions report the same dimensions.

I'd have assumed that getting dimensions on a php image resource wouldnt be using the original image headers since it would be a gd image resource at that point without specific header data.

CraigF is offline   Reply With Quote
Old 31st January 2008, 00:12   #18
ryan
not fucked, not quite.
(Forum King)
 
ryan's Avatar
 
Join Date: Feb 2002
Location: Tn
Posts: 8,798
Send a message via AIM to ryan
Quote:
Originally posted by CraigF
Are you saying that the image in your test case is modified? because firefox, and both your imagesize and imagesx/y functions report the same dimensions.

I'd have assumed that getting dimensions on a php image resource wouldnt be using the original image headers since it would be a gd image resource at that point without specific header data.
I've replaced the image on the test page with a modified gif.

The error doesn't show, but on my private test server GD reports that the image is invalid.
ryan is offline   Reply With Quote
Old 31st January 2008, 11:51   #19
CraigF
Passionately Apathetic
Administrator
 
CraigF's Avatar
 
Join Date: May 2000
Location: Hell
Posts: 5,435
so yeah, as i suspected, you're stuck using imagesx/y to check width/height of the GD image, assuming the picture even loads.

Don't know what the performance hit of that is (certainly doesnt look noticable in your test case), but yeah, the getimagesize function does little more than enough to get dimensions and nothing else.

So i suppose the answer here is to alter vbulletin to try and create a gd image object when uploading avatars, and assuming invalid if the image cannot be created, or if the imagesx/y report out of bounds, which is what I'd assumed originally.

CraigF is offline   Reply With Quote
Old 31st January 2008, 12:48   #20
ryan
not fucked, not quite.
(Forum King)
 
ryan's Avatar
 
Join Date: Feb 2002
Location: Tn
Posts: 8,798
Send a message via AIM to ryan
Well, I registered on the official vBulliten forum (since they're most likely running the latest version). The limit there is 150x250 so I modified an image to say its size is 200x200. It uploaded fine. So I'm guessing the bug is fixed in the latest version.
ryan is offline   Reply With Quote
Reply
Go Back   Winamp & Shoutcast Forums > Community Center > General Discussions

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump