New
Oct 4, 2013 12:58 AM
#51
JoshyPHP said: abreast |
Oct 4, 2013 2:38 AM
#53
Undim said: Well that and imgur, I just gave examples of the most used that came in my mind at that moment :DFor now, a strict whitelist would probably satisfy most users. ao_no_exo said: I say you should make a whitelist with the most used web image hosters, like flickr, imageshack, photobucket, signavatar. And slowly expand it to some other websites by having request from users. And where we have the signature settings to have the supported websites listed so people can see why their picture might not work and what they could use. Add postimage.org to that and I would be happy. The only thing bothering me is the fact that the attack itself seems so simple and yet I have never personally seen any other site that has embed code have it happen to them. Seems like there must be a simple answer but maybe not. |
Oct 4, 2013 6:00 AM
#54
Great work man. Appreciate the update and I hope we can prevent future attacks also. Looking forward to having [img] codes back up. |
Oct 4, 2013 7:35 AM
#56
Oct 4, 2013 8:52 AM
#57
Even if whitelisting of image hosters is used it would deny a shitload of other legit hosts, leading to support threads like "Why is my image not working" and users who copy the desired images and upload it to white listed image hosters. Also, some (or at least one) of the gore pics were on legit image hosters like photobucket. Whitelisting might prevent the auth prompt but leads to much more issues in the everyday use. Same with black lists, you could black list all the obvious gore sites that you know of, but again, auth prompts can't be prevented with that either and getting a new address for new gore sites' still a problem. Best solution seems to check if linked images are delivered images, the prompt would interrupt any image request. However, black/white lists are no reliable solutions at all. |
Oct 4, 2013 9:02 AM
#58
nantuko said: White lists are still a solution. Yes gore pictures will appear... but those should just be reported, there's at least 2-4 mods online at the same time it will be taken down in minutes if not an hour or so.Even if whitelisting of image hosters is used it would deny a shitload of other legit hosts, leading to support threads like "Why is my image not working" and users who copy the desired images and upload it to white listed image hosters. Also, some (or at least one) of the gore pics were on legit image hosters like photobucket. Whitelisting might prevent the auth prompt but leads to much more issues in the everyday use. Same with black lists, you could black list all the obvious gore sites that you know of, but again, auth prompts can't be prevented with that either and getting a new address for new gore sites' still a problem. Best solution seems to check if linked images are delivered images, the prompt would interrupt any image request. However, black/white lists are no reliable solutions at all. |
Oct 4, 2013 9:11 AM
#59
ao_no_exo said: nantuko said: White lists are still a solution. Yes gore pictures will appear... but those should just be reported, there's at least 2-4 mods online at the same time it will be taken down in minutes if not an hour or so.Even if whitelisting of image hosters is used it would deny a shitload of other legit hosts, leading to support threads like "Why is my image not working" and users who copy the desired images and upload it to white listed image hosters. Also, some (or at least one) of the gore pics were on legit image hosters like photobucket. Whitelisting might prevent the auth prompt but leads to much more issues in the everyday use. Same with black lists, you could black list all the obvious gore sites that you know of, but again, auth prompts can't be prevented with that either and getting a new address for new gore sites' still a problem. Best solution seems to check if linked images are delivered images, the prompt would interrupt any image request. However, black/white lists are no RELIABLE SOLUTIONS at all. Just skimming the text, huh? Please read it again and this time try to comprehend what I wrote. Especially the problems that will occur. Thanks. |
Oct 4, 2013 10:40 AM
#60
nantuko said: Wow how did you come up with that? Just skimming the text... Just skimming the text, huh? Please read it again and this time try to comprehend what I wrote. Especially the problems that will occur. Thanks. Obviously I read it, otherwise I wouldn't have went trough making a quote of your text and reply too... So what if threads like "Why is my image not working" going to be a problem? I said it that there should be a list of accepted pages on the signature options. If people are unable to see it, well it's a bummer for them. And will most probably google it, ask someone or make a thread like that and be surprised how blind they were. Obviously at first there will be allot like these but it will settle down after a while. Still better than making something complicated that might strain the servers(not that I would know how much that would affect it, I'm no server admin guy for sure). But I do agree with the black list, that is just impossible to do. It would be in a never ending update of the list. Also I didn't say that white-listing is the solution, I said it's still one solution. |
Oct 4, 2013 11:06 AM
#61
So good to have url back. Thankyou. |
There is no such thing as shit taste. Only idiots who think everyone should have the same taste as they do. |
Oct 4, 2013 11:50 AM
#62
ao_no_exo said: Also I didn't say that white-listing is the solution, I said it's still one solution. You said it in a way as if I said it's no solution without mentioning any (good) reasoning I gave against such lists. Skimming is what I call that, yes. It deflects my argument to your favour. Also, regarding upcoming threads, that's the easiest argument to go up against, isn't it? Going a bit further: what about, let's say news and images. Let's say it's an official image for a new anime on that anime's official website, you couldn't link to it per white listing 'cause the URL might not be in the white list. Annoying. Now what to do? Potentially (encouraged by MAL) infringing copyright by downloading it and upload it to another - white listed - service. Sure, an arguable point as you Americans have your DMCA. However, it creates a high level of uncertainty for the user who might not be in America and therefore be liable for the infringement - even if he doesn't know that. Germany for example is hilariously strict there at times. Now keep in mind that gore pics could still be uploaded to white listed image hosters. With this the whitelist makes no sense as it creates more work for everyone involved by - at the same time - limiting the freedom of images and hosters to use. And for what? A one per year hacking attempt where the user might see an authentication prompt and is - excuse my wording - so stupid that he enters his login credentials. An authentication prompt that targets every single website on earth with user generated content because of the poor implementation of this auth prompt. Seems very unreasonable to me. There is no perfect solution to this, you have to make compromises. Either screw the users (wich is in my eyes completely unreasonable) or make some cuts in server performance. What I am for is pretty obvious. Now, the latter is an ongoing problem on MAL, okay but that is surely not the website that is causing so much strain, it's most likely a very bad infrastructure nobody's gonna improve upon because CraveOnline doesn't give a damn. But as an argument against security without limiting functions really a bad choice to make. Update the server if necessary, check if linked pictures are actually pictures (possible through HEAD requests? Didn't test it myself but would decrease transferred data) or block 'em/delete 'em from the post. Done. This could also be implemented with some kind of cache and a timeframe a picture is checked. Old ones (whatever that is, >=6month?) never. In newer threads (<1 week) every hour/10mins or so or when the thread is accessed the next time. Much more reasonable. The latter could for example be switched on only when the hacker comes back. So we have nearly all year long no problem with the performance but have to deal with it when he's back. And in the worst case we get maybe 1-5 compromised accounts now until this function is switched on. All in all very easier to handle. |
nantukoOct 4, 2013 12:02 PM
Oct 4, 2013 12:33 PM
#63
At least color is back!!! Thanks for working so hard for all of us, can't wait until images are back =^.^= |
Signature removed. Please follow the signature rules, as defined in the Site & Forum Guidelines. |
Oct 4, 2013 12:42 PM
#64
nantuko said: Oh wow, now if I don't reply I look like the guy who ran away from a friendly chat :D.ao_no_exo said: Also I didn't say that white-listing is the solution, I said it's still one solution. You said it in a way as if I said it's no solution without mentioning any (good) reasoning I gave against such lists. Skimming is what I call that, yes. It deflects my argument to your favour. Also, regarding upcoming threads, that's the easiest argument to go up against, isn't it? Going a bit further: what about, let's say news and images. Let's say it's an official image for a new anime on that anime's official website, you couldn't link to it per white listing 'cause the URL might not be in the white list. Annoying. Now what to do? Potentially (encouraged by MAL) infringing copyright by downloading it and upload it to another - white listed - service. Sure, an arguable point as you Americans have your DMCA. However, it creates a high level of uncertainty for the user who might not be in America and therefore be liable for the infringement - even if he doesn't know that. Germany for example is hilariously strict there at times. Now keep in mind that gore pics could still be uploaded to white listed image hosters. With this the whitelist makes no sense as it creates more work for everyone involved by - at the same time - limiting the freedom of images and hosters to use. And for what? A one per year hacking attempt where the user might see an authentication prompt and is - excuse my wording - so stupid that he enters his login credentials. An authentication prompt that targets every single website on earth with user generated content because of the poor implementation of this auth prompt. Seems very unreasonable to me. There is no perfect solution to this, you have to make compromises. Either screw the users (wich is in my eyes completely unreasonable) or make some cuts in server performance. What I am for is pretty obvious. Now, the latter is an ongoing problem on MAL, okay but that is surely not the website that is causing so much strain, it's most likely a very bad infrastructure nobody's gonna improve upon because CraveOnline doesn't give a damn. But as an argument against security without limiting functions really a bad choice to make. Update the server if necessary, check if linked pictures are actually pictures (possible through HEAD requests? Didn't test it myself but would decrease transferred data) or block 'em. Done. This could also be implemented with some kind of cache and a timeframe a picture is checked. Old ones (whatever that is, >=6month?) never. In newer threads (<1 week) every hour/10mins or so or when the thread is accessed the next time. Much more reasonable. The latter could for example be switched on only when the hacker comes back. So we have nearly all year long no problem with the performance but have to deal with it when he's back. And in the worst case we have maybe 1-5 compromised accounts now. All in all very easier to handle. Okay the news section is indeed fitting your argument, one at which I didn't think. Since when do I live in America? ~where did you read this?. And yeah the infringing of a copyright could be a problem, but since when do news on the internet care so much for their picture, I never had problems of such (though it's true I always posted the source of image and/or the source of the article). "Now keep in mind that gore pics could still be uploaded to white listed image hosters." -True but gore pictures don't represent a threat towards losing your account, and because it's not fitting I already said: "those should just be reported, there's at least 2-4 mods online at the same time it will be taken down in minutes if not an hour or so". No matter what method you use you can't restrict pictures, those will always come up and easiest way to get rid of it is delete post by admin. And ban the user(obviously because there's a chance that the account was hacked, the account should not be taken down immediately but rather just banned from posting). "There is no perfect solution to this, you have to make compromises." well unless MAL changes to a much secure and better server you are right "because CraveOnline doesn't give a damn". "check if linked pictures are actually pictures (possible through HEAD requests? Didn't test it myself but would decrease transferred data)" And I don't know not even this much, as I told you I never worked on a server. "This could also be implemented with some kind of cache and a time-frame a picture is checked. Old ones (whatever that is, >=6month?) never. In newer threads (<1 week) every hour/10mins or so or when the thread is accessed the next time." Hmm, seems reasonable. But I'm sure that this can be bypassed by editing the post after 6 months, the bright side of it is that who the heck reads 6 months old comments xD(well except for rare anime discussion pages, where not many post and that 6months old post might be 1st on page.). So I would rather go by when that page of the thread is accessed rather than the whole thread, thus in my theory decreasing stress on the server. (As a side note: this might induce another vulnerability for DDoS-ing, as someone could send his DDoS attack by accessing multiple pages and the server would have to check everything again slowing it down to the point of not working for quite a while) "The latter could for example be switched on only when the hacker comes back." How fast do you think that someone is hacking? Even so, it's a better solution than nothing. "And in the worst case we have maybe 1-5 compromised accounts now. All in all very easier to handle." Umm yeah well the archives can help, but those 1-5 who lost a month of whatever they did, will spread the word quite fast. Not a matter for many, but yeah stuff happens, doesn't it? |
Oct 4, 2013 2:12 PM
#65
It's nice to see that MAL is getting back to normal. |
Oct 4, 2013 2:40 PM
#67
ao_no_exo said: Since when do I live in America? ~where did you read this? Nowhere, I just assumed it for the sake of the argument. ao_no_exo said: And yeah the infringing of a copyright could be a problem, but since when do news on the internet care so much for their picture, I never had problems of such (though it's true I always posted the source of image and/or the source of the article). What if a non-news Moderator creates a thread with news and wants to embed a picture of the orignal artwork directly? I've seen such threads in the past. Or just in the anime discussion subforum? There will probably be no police officer searching through MAL to discover such infringements, nevertheless it's not something MAL should encourage anyone to do. Again, in Germany for example it'd be illegal to download a copyrighted artwork from an official site to upload it somewhere else without consent. As I said, no police officer will say I am in the wrong even though I am but that should not be encouraged by whoever, this creates uncertainty for the user and is a bad choice. It's more of a moral thing one should and need to think about. ao_no_exo said: "Now keep in mind that gore pics could still be uploaded to white listed image hosters." -True but gore pictures don't represent a threat towards losing your account, and because it's not fitting I already said: "those should just be reported, there's at least 2-4 mods online at the same time it will be taken down in minutes if not an hour or so". You're right, we're dealing with two things here: the auth prompts and the gore pics. Unfortunately those two go hand in hand as the auth prompt is embedded disguised as an image. Now that embedded image lies in a folder on another server that is password protected, so when accessing the image you get this prompt. That means either allow images and the danger of such a prompt to appear - as this is just poorly implemented, every website has this problem not only MAL - or don't at all. A whitelist would prevent the prompt but not the pictures and that makes it unreasonable as we have one hacking attack per year - if at all. ao_no_exo said: "check if linked pictures are actually pictures (possible through HEAD requests? Didn't test it myself but would decrease transferred data)" And I don't know not even this much, as I told you I never worked on a server. That was not specifically directed at you, just a general idea that popped up in my head. ao_no_exo said: "This could also be implemented with some kind of cache and a time-frame a picture is checked. Old ones (whatever that is, >=6month?) never. In newer threads (<1 week) every hour/10mins or so or when the thread is accessed the next time." Hmm, seems reasonable. But I'm sure that this can be bypassed by editing the post after 6 months, the bright side of it is that who the heck reads 6 months old comments xD(well except for rare anime discussion pages, where not many post and that 6months old post might be 1st on page.). So I would rather go by when that page of the thread is accessed rather than the whole thread, thus in my theory decreasing stress on the server. (As a side note: this might induce another vulnerability for DDoS-ing, as someone could send his DDoS attack by accessing multiple pages and the server would have to check everything again slowing it down to the point of not working for quite a while) Editing posts later on to show gore pics was my concern as well, but this idea is just a little pointer as a possible approach to deal with it (checking only the requested pages images was my idea, too, though), I haven't thought every possibility through, like what if a thread is neither old (>6month) nor new (<1week) regarding the timeframe. Good point with the DDoS, though. ao_no_exo said: Well, when the hacker's back it's just to prevent too many people of a) seeing gore pics, b) limiting the compromising of accounts through pictures *without* deleting [ img ] BBCode for the time being."The latter could for example be switched on only when the hacker comes back." How fast do you think that someone is hacking? Even so, it's a better solution than nothing. "And in the worst case we have maybe 1-5 compromised accounts now. All in all very easier to handle." Umm yeah well the archives can help, but those 1-5 who lost a month of whatever they did, will spread the word quite fast. Not a matter for many, but yeah stuff happens, doesn't it? Another (lazy) possibility would be to automatically embed img in spoilers (exceptions may apply as for signatures/about me and clubs?). When I remember correctly those pictures were loaded when someone clicks on the spoiler, not earlier. That would prevent making threads a gore fest and should limit - not prevent - at least the auth prompts to appear. Certainly a compromise between usability and security. |
Oct 4, 2013 2:50 PM
#68
nantuko said: Well I hope our conversation was of help for Xinil, and if not then at-least for entertainment :D. I do wonder when it will be enabled again. And now I'm a bit curious what solution will be used too. We shall see :)ao_no_exo said: Since when do I live in America? ~where did you read this? Nowhere, I just assumed it for the sake of the argument. ao_no_exo said: And yeah the infringing of a copyright could be a problem, but since when do news on the internet care so much for their picture, I never had problems of such (though it's true I always posted the source of image and/or the source of the article). What if a non-news Moderator creates a thread with news and wants to embed a picture of the orignal artwork directly? I've seen such threads in the past. Or just in the anime discussion subforum? There will probably be no police officer searching through MAL to discover such infringements, nevertheless it's not something MAL should encourage anyone to do. Again, in Germany for example it'd be illegal to download a copyrighted artwork from an official site to upload it somewhere else without consent. As I said, no police officer will say I am in the wrong even though I am but that should not be encouraged by whoever, this creates uncertainty for the user and is a bad choice. It's more of a moral thing one should and need to think about. ao_no_exo said: "Now keep in mind that gore pics could still be uploaded to white listed image hosters." -True but gore pictures don't represent a threat towards losing your account, and because it's not fitting I already said: "those should just be reported, there's at least 2-4 mods online at the same time it will be taken down in minutes if not an hour or so". You're right, we're dealing with two things here: the auth prompts and the gore pics. Unfortunately those two go hand in hand as the auth prompt is embedded disguised as an image. Now that embedded image lies in a folder on another server that is password protected, so when accessing the image you get this prompt. That means either allow images and the danger of such a prompt to appear - as this is just poorly implemented, every website has this problem not only MAL - or don't at all. A whitelist would prevent the prompt but not the pictures and that makes it unreasonable as we have one hacking attack per year - if at all. ao_no_exo said: "check if linked pictures are actually pictures (possible through HEAD requests? Didn't test it myself but would decrease transferred data)" And I don't know not even this much, as I told you I never worked on a server. That was not specifically directed at you, just a general idea that popped up in my head. ao_no_exo said: "This could also be implemented with some kind of cache and a time-frame a picture is checked. Old ones (whatever that is, >=6month?) never. In newer threads (<1 week) every hour/10mins or so or when the thread is accessed the next time." Hmm, seems reasonable. But I'm sure that this can be bypassed by editing the post after 6 months, the bright side of it is that who the heck reads 6 months old comments xD(well except for rare anime discussion pages, where not many post and that 6months old post might be 1st on page.). So I would rather go by when that page of the thread is accessed rather than the whole thread, thus in my theory decreasing stress on the server. (As a side note: this might induce another vulnerability for DDoS-ing, as someone could send his DDoS attack by accessing multiple pages and the server would have to check everything again slowing it down to the point of not working for quite a while) Editing posts later on to show gore pics was my concern as well, but this idea is just a little pointer as a possible approach to deal with it (checking only the requested pages images was my idea, too, though), I haven't thought every possibility through, like what if a thread is neither old (>6month) nor new (<1week) regarding the timeframe. Good point with the DDoS, though. ao_no_exo said: Well, when the hacker's back it's just to prevent too many people of a) seeing gore pics, b) limiting the compromising of accounts through pictures *without* deleting [ img ] BBCode for the time being."The latter could for example be switched on only when the hacker comes back." How fast do you think that someone is hacking? Even so, it's a better solution than nothing. "And in the worst case we have maybe 1-5 compromised accounts now. All in all very easier to handle." Umm yeah well the archives can help, but those 1-5 who lost a month of whatever they did, will spread the word quite fast. Not a matter for many, but yeah stuff happens, doesn't it? Another (lazy) possibility would be to automatically embed img in spoilers (exceptions may apply as for signatures/about me and clubs?). When I remember correctly those pictures were loaded when someone clicks on the spoiler, not earlier. That would prevent making threads a gore fest and should limit - not prevent - at least the auth prompts to appear. Certainly a compromise between usability and security. |
Oct 4, 2013 2:53 PM
#69
nantuko said: ao_no_exo said: nantuko said: White lists are still a solution. Yes gore pictures will appear... but those should just be reported, there's at least 2-4 mods online at the same time it will be taken down in minutes if not an hour or so.Even if whitelisting of image hosters is used it would deny a shitload of other legit hosts, leading to support threads like "Why is my image not working" and users who copy the desired images and upload it to white listed image hosters. Also, some (or at least one) of the gore pics were on legit image hosters like photobucket. Whitelisting might prevent the auth prompt but leads to much more issues in the everyday use. Same with black lists, you could black list all the obvious gore sites that you know of, but again, auth prompts can't be prevented with that either and getting a new address for new gore sites' still a problem. Best solution seems to check if linked images are delivered images, the prompt would interrupt any image request. However, black/white lists are no RELIABLE SOLUTIONS at all. Just skimming the text, huh? Please read it again and this time try to comprehend what I wrote. Especially the problems that will occur. Thanks. |
rodacOct 5, 2013 1:24 AM
Oct 4, 2013 4:06 PM
#70
Oct 4, 2013 4:48 PM
#71
zanetu said: FYI. http://stackoverflow.com/questions/4988560/how-to-prevent-xss-injection-while-allowing-users-to-post-external-images#comment5574142_4988584 That script literally turns your server into an open proxy. It's cool if you want to help pedophiles remain anonymous, but otherwise its usefulness is relatively limited. |
Oct 4, 2013 9:42 PM
#73
Yeah, you need to white/black list the sites you don't want. |
Oct 4, 2013 9:43 PM
#74
Pls, just turn back image bbcodes! The hacker can't still be here. Who the fk has that much free time? |
Oct 4, 2013 9:49 PM
#75
Sushiii said: Pls, just turn back image bbcodes! The hacker can't still be here. Who the fk has that much free time? Lol right about that but what if it's more than one person? O_o |
Oct 5, 2013 3:30 AM
#76
1. Have a server to host image 2. User must upload image to server 3. Mods approved the image usage 4. User can see the picture now. Cant be done? I know it gonna take much more time for mods and the cost to store the picture somewhere. |
Nah, i dont think sharing anime ratings in signature is cool thing. Here, stare at this pointless signature instead. |
Oct 5, 2013 5:17 AM
#77
Good! I'm still waiting for [ img ] though. :| Still happy though. |
Oct 5, 2013 1:25 PM
#80
Furykury1 said: It's because you updated your signature after they disabled BBcode. Everyone's whos' works, didn't.So, I assume, that my signature will still not work due to no [img]. Yet, many signatures are working just fine. Very interesting!!!! |
Short of the day: Monotonous Purgatory(MAL) ✰Public Domain Club | One Piece Club✰ |
Oct 5, 2013 1:36 PM
#81
IntroverTurtle said: Furykury1 said: It's because you updated your signature after they disabled BBcode. Everyone's whos' works, didn't.So, I assume, that my signature will still not work due to no [img]. Yet, many signatures are working just fine. Very interesting!!!! Wow, I got punked. Literally, the time interval I decided to change my sig (Oct 3) was the time that BBCodes stopped working. |
Oct 5, 2013 2:37 PM
#82
Looks like one of my blogs won't update properly because the contained code triggers some sort of "security issue." I end getting blocked and having to delete my cookies every time I attempt to edit that one particular entry. Already tried deleting portions of the code and copy/pasting the code into a new blog entry, all to no avail. Just thought I'd bring this up. It's not that big of a deal for me. It appears you can't use a slash mark other than within brackets. Disregard this post. |
StyleF1reOct 6, 2013 5:39 AM
Oct 5, 2013 4:10 PM
#83
Oct 5, 2013 4:14 PM
#84
Kyuutoryuu said: IntroverTurtle said: Furykury1 said: It's because you updated your signature after they disabled BBcode. Everyone's whos' works, didn't.So, I assume, that my signature will still not work due to no [img]. Yet, many signatures are working just fine. Very interesting!!!! Wow, I got punked. Literally, the time interval I decided to change my sig (Oct 3) was the time that BBCodes stopped working. The [img] tag stopped long before October the 3rd. |
Oct 5, 2013 6:28 PM
#85
iwansquall said: 1. Have a server to host image 2. User must upload image to server 3. Mods approved the image usage 4. User can see the picture now. Cant be done? I know it gonna take much more time for mods and the cost to store the picture somewhere. True, MAL could just use a CDN like Amazon S3 to host all the images. They'd only be paying for what they actually use to. Pricing is dirt cheap too not to mention MAL would load faster since all the images are coming from Amazon instead of a bunch of 3rd party servers. http://aws.amazon.com/s3/pricing/ |
^)^ DeathfireD ^)^ Anime Alliance P2P Network *OPEN FOR NEW MEMBERS* |
Oct 5, 2013 6:35 PM
#86
Simple blacklisting/whitelisting sites is no good. If you allow big image hosting sites it's still an attack point as they could still host the gore images there. Ofcourse the image hosts may delete the images after they are reported, but that brings delay, uncertainty because of a third party and ofcourse the attacker still can just rotate the hosting sites, upload routes. The most reliable would be community moderation combined with the work of real moderators. Like reporting images themselves which automatically hides it under some warning and a moderator could allow it if it was falsely reported. Also log who reported what and punish if somebody regurarly sends false reports. |
Oct 5, 2013 8:33 PM
#87
I doubt images are still disabled because of gore images. (that is just a simple violation of the TOS, and should be reported when seen). The real issue is the authentication + clueless-user issue. Considering how many accounts were compromised, it's a legitimate concern. I think the best way to deal with the issue is to first check white/black lists (this should be relatively fast). If the url is not in the list, then have the server request the image to verify it exists. White-listed sites, even if the image itself could be questionable, are unlikely to be requesting authorization. It's pretty easy to reproduce the "exploit" with WAMP. Just put a ".htaccess" file in a folder under web root with the following: AuthUserFile c:\wamp\pwds\.htpasswd AuthName "passwords om nom nom" AuthType Basic require valid-user Then create an HTML file and reference a (fake) image inside the above folder. Instant authorization popup. DeathfireD basically posted the answer: DeathfireD said: BurntJelly said: Xinil said: It's a browser issue. Unfortunately they all seem to handle this in the worst possible way. (I have since replicated the issue with wamp on my machine for fun)It's a 'basic access authentication' injection. I think the only thing you can do is have the server request the resources that people try to post for images. If there isn't an image on the other end... well, you decide what the consequences are. (easymode would be just stripping it from the post... or autoban, but that might be too much). Obviously that would put a load on the server. Even this can be bypassed, by detecting the MAL server IP and serving an image to it so the post gets made... unless you proxy... There is no way to deal with this 100% without the browsers doing something about it. There will always be people that don't know any better. Ah I was under the impression that it was XSS, my bad. I'm not familiar with authentication injection but couldn't you just check the image's exif info using exif_imagetype in PHP? If it's an authentication injection than php wont be able to return any exif info since it'll be redirected by the "hackers" sever to a script. Xinil could do something like this when converting to BBcode to html. If the image fails then strip the bbcode out. <?php $bbcodeImage = 'https://www.google.com/images/srpr/logo6w.png'; if (exif_imagetype($bbcodeImage) != IMAGETYPE_PNG){ if (exif_imagetype($bbcodeImage) != IMAGETYPE_JPEG){ if (exif_imagetype($bbcodeImage) != IMAGETYPE_GIF) { echo 'This is not an image'; }else{ echo 'this is a gif'; } }else { echo 'this is a jpeg'; } }else{ echo 'this is a png'; } ?> |
Oct 5, 2013 11:09 PM
#88
Am I putting the img code in wrong? Why are other people's signatures showing up but now mine? Maybe I'm stupid and I know people are saying it's disabled but I see other users on this thread with custom signatures. |
Oct 5, 2013 11:12 PM
#89
Maria_Sama is beautiful Thank you chinil |
Xinil said: Thanks for joining MAL. JOIN MAH CLUB http://myanimelist.net/clubs.php?cid=38595 |
Oct 5, 2013 11:12 PM
#90
Forgetfulness said: RT251 said: Am I putting the img code in wrong? Why are other people's signatures showing up but now mine? Maybe I'm stupid and I know people are saying it's disabled but I see other users on this thread with custom signatures. That is because they stopped working after they were disabled. Any signatures/pictures that were put in before and not changed will still show Okay just making sure |
Oct 5, 2013 11:13 PM
#91
RT251 said: Am I putting the img code in wrong? Why are other people's signatures showing up but now mine? Maybe I'm stupid and I know people are saying it's disabled but I see other users on this thread with custom signatures. They've had their sig before BBCode was disabled. As long as their sig was up before it was disabled, you're still able to see it. Question was already answered on here actually. Edit: someone answered already. 3quick5me. |
Touch me, you filthy casual~ |
Oct 5, 2013 11:14 PM
#92
RT251 said: Anyways your signature is too tall, it needs to be 150px or less.Forgetfulness said: RT251 said: Am I putting the img code in wrong? Why are other people's signatures showing up but now mine? Maybe I'm stupid and I know people are saying it's disabled but I see other users on this thread with custom signatures. That is because they stopped working after they were disabled. Any signatures/pictures that were put in before and not changed will still show Okay just making sure |
Short of the day: Monotonous Purgatory(MAL) ✰Public Domain Club | One Piece Club✰ |
Oct 5, 2013 11:16 PM
#93
IntroverTurtle said: RT251 said: Anyways your signature is too tall, it needs to be 150px or less.Forgetfulness said: RT251 said: Am I putting the img code in wrong? Why are other people's signatures showing up but now mine? Maybe I'm stupid and I know people are saying it's disabled but I see other users on this thread with custom signatures. That is because they stopped working after they were disabled. Any signatures/pictures that were put in before and not changed will still show Okay just making sure I see people on here with signatures the same size... |
Oct 5, 2013 11:24 PM
#94
RT251 said: Then report their signatures and the user will be notified and possibly the signature removed. The limit is 600 x 150 and 300kb, it's in the site's rules.IntroverTurtle said: RT251 said: Anyways your signature is too tall, it needs to be 150px or less.Forgetfulness said: RT251 said: Am I putting the img code in wrong? Why are other people's signatures showing up but now mine? Maybe I'm stupid and I know people are saying it's disabled but I see other users on this thread with custom signatures. That is because they stopped working after they were disabled. Any signatures/pictures that were put in before and not changed will still show Okay just making sure I see people on here with signatures the same size... |
Short of the day: Monotonous Purgatory(MAL) ✰Public Domain Club | One Piece Club✰ |
Oct 6, 2013 1:45 AM
#95
in addition to all the above mentioned things, here's another piece: when [img] code gets uploaded to MAL, generate a checksum code for the image checksum code gets stored in database if two same images are uploaded (even from different servers) they should generate the same checksum code, when mod ban's an image, that image's checksum code gets flagged in the database as a no-go and censored. ...not that I know anything of anything, and am probably reading the question wrong even....hehehe :D |
Oct 6, 2013 10:50 AM
#97
Thanks for all the hard work guys! Looking forward to getting those [img]s back though :x |
My Candies: |
Oct 6, 2013 1:17 PM
#98
Kyuutoryuu said: IntroverTurtle said: Furykury1 said: It's because you updated your signature after they disabled BBcode. Everyone's whos' works, didn't.So, I assume, that my signature will still not work due to no [img]. Yet, many signatures are working just fine. Very interesting!!!! Wow, I got punked. Literally, the time interval I decided to change my sig (Oct 3) was the time that BBCodes stopped working. Yeah, me too. How convenient... |
Oct 6, 2013 1:20 PM
#99
Tennouji_ said: Kyuutoryuu said: IntroverTurtle said: Furykury1 said: It's because you updated your signature after they disabled BBcode. Everyone's whos' works, didn't.So, I assume, that my signature will still not work due to no [img]. Yet, many signatures are working just fine. Very interesting!!!! Wow, I got punked. Literally, the time interval I decided to change my sig (Oct 3) was the time that BBCodes stopped working. Yeah, me too. How convenient... The BBCode for sigs has long been disabled right after the attack happened. They were never enabled on Oct 3, the mods were just giving us an update.(If you guys read the first post.) |
Touch me, you filthy casual~ |
Oct 6, 2013 1:49 PM
#100
Not exactly an expert but wouldnt it help to block out tinyurl and other similar sites that shorten URLs? They could link anywhere and you never know where it is till you click it. |
⠀⠀⠀⠀ ⠀⠀⠀⠀⠀⠀ ⠀⠀⠀⠀ ⠀⠀⠀⠀ ⠀⠀⠀⠀⠀⠀ ⠀⠀⠀⠀⠀⠀ ⣸⠋⠀⠀⠀⡄⠀⠀⡔⠀⢀⠀⢸⠀⠀⠀⡘⡰⠁⠘⡀⠀⠀⢠⠀⠀⠀⢸⠀⠀⢸⠀⠀⠀⠀⠀⠀⠀⠀⠀ ⠀⠀⠀⠀ ⠀⠀⠀⠀⠀⠀ ⠀⠀⠀⠀⠀⠀ ⠀ ⠀⠀⠀⠀ ⠀⠀⠀⠀⠀⠀ ⠀⠀⠀⠁⠀⣀⠀⠀⡇⠀⡜⠈⠁⠀⢸⡈⢇⠀⠀⢣⠑⠢⢄⣇⠀⠀⠸⠀⠀⠀⢸⠀⠀⢸⠀⠀⠀⠀⠀⠀⠀⠀⠀ ⠀⠀⠀⠀ ⠀⠀⠀⠀⠀⠀ ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀ ⠀⠀⠀⠀ ⠀⠀⠀⠀⠀⠀ ⠀⢰⡟⡀⠀⡇⡜⠀⠀⠀⠀⠘⡇⠈⢆⢰⠁⠀⠀⠀⠘⣆⠀⠀⠀⠀⠀⠸⠀⠀⡄⠀⠀⠀⠀⠀⠀⠀⠀⠀ ⠀⠀⠀⠀ ⠀⠀⠀⠀⠀⠀ ⠀⠀⠀⠀ ⠀⠀⠀⠀⠀⠀ ⠀⠤⢄⠀⠀⠀⠀⠀⠀⠀⠀⡼⠀⣧⠀⢿⢠⣤⣤⣬⣥⠀⠁⠀⠀⠛⢀⡒⠀⠀⠀⠘⡆⡆⠀⠀⠀⡇⠀⠀⠇⠀⠀⠀⠀⠀⠀⠀⠀⠀ ⠀⠀⠀⠀ ⠀⠀⠀⠀⠀⠀ ⠀⠀ ⠀⠀⠀⠀ ⠀⠀⠀⠀⠀⠀ ⠀⢵⡀⠀⠀⠀⠀⠀⡰⠀⢠⠃⠱⣼⡀⣀⡀⠀⠀⠀⠀⠀⠀⠀⠈⠛⠳⠶⠶⠆⡸⢀⡀⣀⢰⠀⠀⢸ ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀ ⠀⠀⠀⠀ ⠀⠀⠀⠀ ⠀⠀⠀⠀⠀⠀ ⠀⠀⠀⠀⠀⠀ ⣀⣀⣀⠄⠀⠉⠁⠀⠀⢠⠃⢀⠎⠀⠀⣼⠋⠉⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠴⠢⢄⡔⣕⡍⠣⣱⢸⠀⠀⢷⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀ ⠀⠀⠀⠀ ⠀⠀⠀⠀⠀⠀ ⠀⠀⠀⠀⠀ ⠀⠀⠀⠀ ⠀⠀⠀⠀⠀⠀ ⠀⠀⠀⡰⠃⢀⠎⠀⠀⡜⡨⢢⡀⠀⠀⠀⠐⣄⠀⠀⣠⠀⠀⠀⠐⢛⠽⠗⠁⠀⠁⠊⠀⡜⠸⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀ ⠀⠀⠀⠀ ⠀⠀⠀⠀⠀⠀ ⠀ ⠀⠀⠀⠀ ⠀⠀⠀⠀⠀⠀ ⠀⠀⠀⠀⠀ ⢀⠔⣁⡴⠃⠀⡠⡪⠊⣠⣾⣟⣷⡦⠤⣀⡈⠁⠉⢀⣀⡠⢔⠊⠁⠀⠀⠀⠀⢀⡤⡗⢀⠇⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀ ⠀ ⠀⠀⠀⠀ ⠀⠀⠀⠀ ⠀⠀⠀⠀⠀⠀ ⠀⠀⠀⠀⠀⠀ ⠀⠀⢀⣠⠴⢑⡨⠊⡀⠤⠚⢉⣴⣾⣿⡿⣾⣿⡇⠀⠹⣻⠛⠉⠉⢀⠠⠺⠀⠀⡀⢄⣴⣾⣧⣞⠀⡜⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀ ⠀⠀⠀⠀ ⠀⠀⠀⠀⠀⠀ ⠀⠀⠀⠀ ⠀⠀⠀⠀⠀⠀ ⠐⠒⣉⠠⠄⡂⠅⠊⠁⠀⠀⣴⣿⣿⣿⣿⣻⣿⣿⡇⠀⠀⢠⣷⣮⡍⡠⠔⢉⡇⡠⠋⠁⠀⣿⣿⣿⣿⣄⠀⠀⠀⠀ |
More topics from this board
» MAL Bunkasai 2024 ( 1 2 )Kineta - Nov 14 |
88 |
by binbombs05
»»
9 minutes ago |
|
» MAL Secret Santa 2024 ( 1 2 3 )Kineta - Nov 17 |
102 |
by Nemuri-no-Kogoro
»»
1 hour ago |
|
» MAL Game "Fantasy Anime League" Opens for Fall 2024 ( 1 2 3 4 )Kineta - Sep 12 |
155 |
by foreverentwined
»»
Yesterday, 3:48 AM |
|
» MALoween✟Mansion: Kaijuu No. 11 ~Dead Dead Dessert Dededede Destruction~ ( 1 2 3 4 )Kineta - Oct 20 |
199 |
by Lucciphero
»»
Nov 20, 11:13 AM |
|
» [Update Nov 7] Anime List Notes: Easily share thoughts with friends ( 1 2 )Kineta - Sep 26, 2022 |
81 |
by Fadedboar
»»
Nov 15, 1:04 AM |