Forum Settings
Forums
Oct 6, 2013 8:05 PM

Offline
Joined: Aug 2013
Posts: 54
I don't know what language this site runs on (I'm relatively new), but if it's PHP I can share a small something that I do with my site to protect from malicious links.

First, since BBCode is implemented in regex, I check the link the user sends over to make sure it isn't a PHP or ASP/ASPX link (because these scripts could throw images on the page and pass an imagetype check). Then, I use the PHP code:

@exif_imagetype($Img_LinkURL)

To return a value which could be one of the following

IMAGETYPE_GIF
IMAGETYPE_PNG
IMAGETYPE_JPEG
IMAGETYPE_BMP

Since the exif_imagetype looks for header information and not the whole image, it's actually much faster compared to alternatives.

That's just some info on how I would start off, but I'm sure you guys have looked at that somewhat.
Modified by nox7, Oct 6, 2013 8:10 PM
 
Oct 6, 2013 8:18 PM

Offline
Joined: Jun 2007
Posts: 2657
StefanBashkir said:
I don't know what language this site runs on (I'm relatively new), but if it's PHP I can share a small something that I do with my site to protect from malicious links.

First, since BBCode is implemented in regex, I check the link the user sends over to make sure it isn't a PHP or ASP/ASPX link (because these scripts could throw images on the page and pass an imagetype check). Then, I use the PHP code:

@exif_imagetype($Img_LinkURL)

To return a value which could be one of the following

IMAGETYPE_GIF
IMAGETYPE_PNG
IMAGETYPE_JPEG
IMAGETYPE_BMP

Since the exif_imagetype looks for header information and not the whole image, it's actually much faster compared to alternatives.

That's just some info on how I would start off, but I'm sure you guys have looked at that somewhat.


Already suggested http://myanimelist.net/forum/?topicid=671199&show=40#msg25508301 Xinil hasn't responded but I think it's a solid fix.
 
Oct 7, 2013 2:53 AM

Offline
Joined: Apr 2012
Posts: 182
DeathfireD said:
StefanBashkir said:
I don't know what language this site runs on (I'm relatively new), but if it's PHP I can share a small something that I do with my site to protect from malicious links.

First, since BBCode is implemented in regex, I check the link the user sends over to make sure it isn't a PHP or ASP/ASPX link (because these scripts could throw images on the page and pass an imagetype check). Then, I use the PHP code:

@exif_imagetype($Img_LinkURL)

To return a value which could be one of the following

IMAGETYPE_GIF
IMAGETYPE_PNG
IMAGETYPE_JPEG
IMAGETYPE_BMP

Since the exif_imagetype looks for header information and not the whole image, it's actually much faster compared to alternatives.

That's just some info on how I would start off, but I'm sure you guys have looked at that somewhat.


Already suggested http://myanimelist.net/forum/?topicid=671199&show=40#msg25508301 Xinil hasn't responded but I think it's a solid fix.


But in php you can set up the header as an image and run code instead, so I think the parser has to check for "http://" or "https://" at the beginning of the URL, check for a single URL, check for the header, check for the ext of the image linked, to protect from some other scripts to be loaded instead of images, check if the URL is blacklisted. At least this is what IMG BBcodes in IPBoard/SMF/phpBB forums do.
 
Oct 7, 2013 3:08 AM
Offline
Joined: Oct 2013
Posts: 6
Sorry to be blunt, but none of this makes sense.

Allow me to ease your concerns and perhaps quash the wild speculations going on. Look at reddit's /r/pics. They have a gazillion users posting a barillion images every day. They don't check the extension, they don't check the image's content, they don't check nothing. If any of that could be exploited, it would be.

I subscribed to this thread to see if Xinil would update it, but all the nonsensical replies are giving me brain cancer.
 
Oct 7, 2013 4:16 AM

Offline
Joined: May 2012
Posts: 327
Forgetfulness said:
I don't know shit about how this websites works, but are you guys saying that...you have the solution for sure, but it just needs to be put in?
Or is it just a potential solution?


Basically this has nothing to do with Xinil the person responsible for fixing it is crave we should go spam their facebook page to show them how serious we are...

ohh never mind we hate talking to people and 80% of us do not have facebooks

support@craveonline.com
info@craveonline.com
Modified by planetarian, Oct 7, 2013 4:24 AM
 
Oct 7, 2013 5:59 AM

Offline
Joined: Aug 2013
Posts: 54
al_exs said:
DeathfireD said:
StefanBashkir said:
I don't know what language this site runs on (I'm relatively new), but if it's PHP I can share a small something that I do with my site to protect from malicious links.

First, since BBCode is implemented in regex, I check the link the user sends over to make sure it isn't a PHP or ASP/ASPX link (because these scripts could throw images on the page and pass an imagetype check). Then, I use the PHP code:

@exif_imagetype($Img_LinkURL)

To return a value which could be one of the following

IMAGETYPE_GIF
IMAGETYPE_PNG
IMAGETYPE_JPEG
IMAGETYPE_BMP

Since the exif_imagetype looks for header information and not the whole image, it's actually much faster compared to alternatives.

That's just some info on how I would start off, but I'm sure you guys have looked at that somewhat.


Already suggested http://myanimelist.net/forum/?topicid=671199&show=40#msg25508301 Xinil hasn't responded but I think it's a solid fix.


But in php you can set up the header as an image and run code instead, so I think the parser has to check for "http://" or "https://" at the beginning of the URL, check for a single URL, check for the header, check for the ext of the image linked, to protect from some other scripts to be loaded instead of images, check if the URL is blacklisted. At least this is what IMG BBcodes in IPBoard/SMF/phpBB forums do.


Yeah, true, which is why I went ahead and additionally suggested to check script extensions. I had an issue where people would link PHP images and they'd pass the IMAGETYPE check. That was fun.
Modified by nox7, Oct 7, 2013 6:14 AM
 
Oct 7, 2013 6:15 AM

Offline
Joined: Nov 2012
Posts: 718
I know on Crunchyroll you can directly upload the image from your PC. I have no idea how much this would help in the long run. It might be somewhat helpful though.
 
Oct 7, 2013 9:11 AM

Offline
Joined: Jun 2007
Posts: 2657
StefanBashkir said:
al_exs said:
DeathfireD said:
StefanBashkir said:
I don't know what language this site runs on (I'm relatively new), but if it's PHP I can share a small something that I do with my site to protect from malicious links.

First, since BBCode is implemented in regex, I check the link the user sends over to make sure it isn't a PHP or ASP/ASPX link (because these scripts could throw images on the page and pass an imagetype check). Then, I use the PHP code:

@exif_imagetype($Img_LinkURL)

To return a value which could be one of the following

IMAGETYPE_GIF
IMAGETYPE_PNG
IMAGETYPE_JPEG
IMAGETYPE_BMP

Since the exif_imagetype looks for header information and not the whole image, it's actually much faster compared to alternatives.

That's just some info on how I would start off, but I'm sure you guys have looked at that somewhat.


Already suggested http://myanimelist.net/forum/?topicid=671199&show=40#msg25508301 Xinil hasn't responded but I think it's a solid fix.


But in php you can set up the header as an image and run code instead, so I think the parser has to check for "http://" or "https://" at the beginning of the URL, check for a single URL, check for the header, check for the ext of the image linked, to protect from some other scripts to be loaded instead of images, check if the URL is blacklisted. At least this is what IMG BBcodes in IPBoard/SMF/phpBB forums do.


Yeah, true, which is why I went ahead and additionally suggested to check script extensions. I had an issue where people would link PHP images and they'd pass the IMAGETYPE check. That was fun.


I'd just remove support for anything other than JPG (JPEG), PNG, and GIF. Screw all the people using images generated by php scripts. Force them to cache the generated image as an actual image and use that in their sig instead. I actually think Xinil does this already though ( I could be wrong).

exif_imagetype reads the first bytes of an image and checks its signature. This is more than enough to combat the "remote authentication" issue Xinil has mentioned above. No one is loading an external script. It's just an .htaccess file in the root folder of where the image is located. It causes a login popup to show on this site and people get confused and type in their MAL login info which then shows up in the "hackers" webserver log file. At least that's my understanding of the situation. It's not really a vulnerability but more of people just being stupid.
 
Oct 7, 2013 2:41 PM

Offline
Joined: Jul 2012
Posts: 47020
Yeah, whitelisting is probably the best. You could only make signature sites (i906.com.my etc), adoptable sites (squiby, gpx+ etc) and image hosting sites (imgur, tinypic, photobuck etc) in general whitelisted. Idk what else.

☆☆☆☆☆☆☆☆☆☆☆☆☆


watch nodame cantabile

recommend me anything!
 
Oct 7, 2013 3:13 PM

Offline
Joined: Aug 2013
Posts: 54
DeathfireD said:
exif_imagetype reads the first bytes of an image and checks its signature. This is more than enough to combat the "remote authentication" issue Xinil has mentioned above. No one is loading an external script. It's just an .htaccess file in the root folder of where the image is located. It causes a login popup to show on this site and people get confused and type in their MAL login info which then shows up in the "hackers" webserver log file. At least that's my understanding of the situation. It's not really a vulnerability but more of people just being stupid.


exif_imagetype alone is not enough. Personal experience with that. This is because a .php file can post an image to the header which exif would read; thus causing a pseudo-false positive.
 
Oct 7, 2013 4:23 PM

Offline
Joined: Jul 2013
Posts: 18279
An update, finally.

Hope to see all bbcode back soon.
 
Oct 7, 2013 4:29 PM

Offline
Joined: Jun 2007
Posts: 2657
StefanBashkir said:
DeathfireD said:
exif_imagetype reads the first bytes of an image and checks its signature. This is more than enough to combat the "remote authentication" issue Xinil has mentioned above. No one is loading an external script. It's just an .htaccess file in the root folder of where the image is located. It causes a login popup to show on this site and people get confused and type in their MAL login info which then shows up in the "hackers" webserver log file. At least that's my understanding of the situation. It's not really a vulnerability but more of people just being stupid.


exif_imagetype alone is not enough. Personal experience with that. This is because a .php file can post an image to the header which exif would read; thus causing a pseudo-false positive.


Did you ready anything I said lol?
 
Oct 7, 2013 6:35 PM

Offline
Joined: Aug 2013
Posts: 54
DeathfireD said:
StefanBashkir said:
DeathfireD said:
exif_imagetype reads the first bytes of an image and checks its signature. This is more than enough to combat the "remote authentication" issue Xinil has mentioned above. No one is loading an external script. It's just an .htaccess file in the root folder of where the image is located. It causes a login popup to show on this site and people get confused and type in their MAL login info which then shows up in the "hackers" webserver log file. At least that's my understanding of the situation. It's not really a vulnerability but more of people just being stupid.


exif_imagetype alone is not enough. Personal experience with that. This is because a .php file can post an image to the header which exif would read; thus causing a pseudo-false positive.


Did you ready anything I said lol?


Oh that's why people type words.... :P
 
Oct 8, 2013 12:53 PM
Site Administrator
Overlord

Offline
Joined: Nov 2004
Posts: 5729
DeathfireD said:
StefanBashkir said:
I don't know what language this site runs on (I'm relatively new), but if it's PHP I can share a small something that I do with my site to protect from malicious links.

First, since BBCode is implemented in regex, I check the link the user sends over to make sure it isn't a PHP or ASP/ASPX link (because these scripts could throw images on the page and pass an imagetype check). Then, I use the PHP code:

@exif_imagetype($Img_LinkURL)

To return a value which could be one of the following

IMAGETYPE_GIF
IMAGETYPE_PNG
IMAGETYPE_JPEG
IMAGETYPE_BMP

Since the exif_imagetype looks for header information and not the whole image, it's actually much faster compared to alternatives.

That's just some info on how I would start off, but I'm sure you guys have looked at that somewhat.


Already suggested http://myanimelist.net/forum/?topicid=671199&show=40#msg25508301 Xinil hasn't responded but I think it's a solid fix.


This only works on the original post (when we check authenticity of the data submitted). The offending user is able to manipulate what content is returned after we've 'approved' the image. For example, if I post , I can then modify .htaccess and instruct .php to render all .png file types, and then proceed t do whatever I want now.

@JoshyPHP: Reddit scrapes all images/pages posts and hosts the thumbnail on their own server. Can you imagine how much stuff MAL would have to host if we pulled every image every user posts on a forum/club/profile/comment? It's not practical by any means. In reddit's comments, they allow 'links' to images (or if you're using RES, you can have it dynamically pulled.)
 
Oct 8, 2013 4:05 PM

Offline
Joined: Jun 2007
Posts: 2657
Xinil said:
DeathfireD said:
StefanBashkir said:
I don't know what language this site runs on (I'm relatively new), but if it's PHP I can share a small something that I do with my site to protect from malicious links.

First, since BBCode is implemented in regex, I check the link the user sends over to make sure it isn't a PHP or ASP/ASPX link (because these scripts could throw images on the page and pass an imagetype check). Then, I use the PHP code:

@exif_imagetype($Img_LinkURL)

To return a value which could be one of the following

IMAGETYPE_GIF
IMAGETYPE_PNG
IMAGETYPE_JPEG
IMAGETYPE_BMP

Since the exif_imagetype looks for header information and not the whole image, it's actually much faster compared to alternatives.

That's just some info on how I would start off, but I'm sure you guys have looked at that somewhat.


Already suggested http://myanimelist.net/forum/?topicid=671199&show=40#msg25508301 Xinil hasn't responded but I think it's a solid fix.


This only works on the original post (when we check authenticity of the data submitted). The offending user is able to manipulate what content is returned after we've 'approved' the image. For example, if I post , I can then modify .htaccess and instruct .php to render all .png file types, and then proceed t do whatever I want now.

@JoshyPHP: Reddit scrapes all images/pages posts and hosts the thumbnail on their own server. Can you imagine how much stuff MAL would have to host if we pulled every image every user posts on a forum/club/profile/comment? It's not practical by any means. In reddit's comments, they allow 'links' to images (or if you're using RES, you can have it dynamically pulled.)


Ah good point. I suppose you could check the images on page load but you'll have to cache the return result so the check only happens every few seconds/mins (whatever you want). That way if 300 people are all loading the same forum thread or profile at the same time then there wont be 300 requests to check if the image is real or not. There would only be one. Then after however many seconds/minutes that you specify, the check would happen again when someone views the content. If a bad image is found than strip that tag out of the post/profile (or just not load that particular post and notify a mod to check it in an admin panel).

The downside is with a site as big as MAL it's gonna cause some issues with load times depending on how long you allow between each check and how many images are on a page. You'd probably also run into asshats who purposely load posts up with hundreds of images because they know that your checking images.

You're best bet is probably to limit the ability to use IMG BBCode to only people who have been registered on MAL for XX many months, have XX forum posts, and have see XX Anime/Manga. That way you can get a good idea of who's an actual user and who's just trying to mess with the site.
 
Oct 8, 2013 6:48 PM
Offline
Joined: Oct 2013
Posts: 6
@Xinil: I was talking about images themselves, their content. Half of the posts in this thread are about checking the content of linked images, which is pointless and even exploitable. The thing with HTTP auth was only mentionned later in the thread.

JoshyPHP said:
if your concern is that malicious users could use img BBCodes to load arbitrary resources in a user's cache, then there's no way but using a whitelist of trusted hosts, such as imgur.com.

That's pretty much it. Unfortunately, I'm not aware of any way to prevent those prompts.
 
Oct 9, 2013 9:37 AM
Offline
Joined: Feb 2007
Posts: 915
I wish I read this before I updated my signature. ;_; Still, thanks for the hard work Xinil and co. Wish you can fix everything back to normal. ^^
 
Oct 9, 2013 11:55 AM

Offline
Joined: Dec 2012
Posts: 525
Here's to hoping that the img code is available again sometime soon.
 
Oct 9, 2013 4:44 PM

Offline
Joined: Oct 2009
Posts: 7010
I'd vouch for whitelisting.
 
Oct 9, 2013 8:56 PM

Offline
Joined: May 2012
Posts: 3821
Thanks for the hard work! Hope the tags will be enabled again.
Badges: C.C.O / T.C.O / TFCC admin ID | Previously known as kazumi-san95
 
Oct 9, 2013 9:19 PM

Offline
Joined: Jan 2011
Posts: 2861
azzuRe said:
I'd vouch for whitelisting.

This. Because at this rate we'll never get [img] back. Please just go with the whitelist/blacklist thing, since the chances of people getting different ideas to the Craveonline staff and them using the ideas are zero.
Modified by VioLink, Oct 11, 2013 9:55 AM
[center]
 
Oct 11, 2013 3:27 AM

Offline
Joined: Dec 2009
Posts: 114
Xinil said:
There are still issues we're trying to solve for [ img ], and if you're knowledgeable in the web space, please let us know any ideas you have on how to prevent [ img ] tags from loading malicious content from other sites. Our current best idea is a blacklist or whitelist of domains.


I'm not that knowledgeable on the practical implementations, but I know some theory. And I also know it's always easier said than done. But I'll try my 2cents:

-First, you have to check the URL to check if it looks like an image. For example, these fail immediately:
mailto:file.jpg
telnet://file.jpg
http://domain/file.exe
You have to make sure it ends with .jpg, .bmp, .png, .gif etc... and does not starts with funny stuff and it does not contain funny characters like *, >, < etc..

-Second, you have to make sure that the image file is really a image file and not something else. Checking the Mime Type or using PHP functions like getimagesize() and in case of error you know it's not a valid image.

You may want to see this:
http://security.stackexchange.com/questions/26690/use-php-to-check-uploaded-image-file-for-malware

I know that one problem is that you are not uploading a picture, so it gets more difficult. You would have to make a script to check every time a user makes or edits a post with BBCode.

I really can't be of much help.
Wanna join these clubs and have a nice talk: We Hate Censorship and Luna & Survive Fan Club
 
Oct 11, 2013 6:54 AM

Offline
Joined: Dec 2009
Posts: 114
Ups, I read this whole thing again, and I guess the solutions posted wouldn't prevent anything if the hacker changed the image file after it has been checked.

As someone said, it's a browser issue! The <img src=...> should only show images and not run anything else... There isn't anything that could be done that wouldn't be too time consuming (server would have to check each image for each page before replying to each client)...

oh well...

Like Xinil said, I think the only way would be to whitelist a few domains, the ones that only host images and nothing else (because here the check can be done once upon upload/re-upload of each image).

But that would also be a pain, because 95% of the time the images won't be hosted there... I also miss the [ img ] so much T_T
Wanna join these clubs and have a nice talk: We Hate Censorship and Luna & Survive Fan Club
 
Oct 11, 2013 11:13 AM
Offline
Joined: Jan 2011
Posts: 3
make it so it does not log me of every 5 sec!!!
 
Oct 11, 2013 8:51 PM

Offline
Joined: Jul 2012
Posts: 575
Woot! Links and color. :3
I hope the image BBC issue is fixed soon though! xD
 
Oct 11, 2013 9:19 PM

Offline
Joined: Aug 2007
Posts: 4525
I assume this is just for the forum.

All I care about.
 
Oct 11, 2013 9:21 PM

Offline
Joined: Dec 2011
Posts: 122
Why is it that a few members have their signatures with img tags intact?

何も期待するな//list//twitter//osu//
 
Oct 11, 2013 9:33 PM

Offline
Joined: Nov 2010
Posts: 26478
ZenithKun said:
Why is it that a few members have their signatures with img tags intact?
Because they didn't mess with the code after it was disabled. All pics all over the site that have been there since before the disable, still work. It's when you update your code after it's been disabled that it won't work.
 
Oct 12, 2013 3:48 AM
Offline
Joined: Nov 2012
Posts: 1
so you have troubles with the img tag? well I'm a php programmer, MAL uses php riight?
you could use imagick to check if the image is a valid one, if it is, then the script posts it. If it is not, then MAL throws an error.
hope this helps :3
 
Oct 12, 2013 5:36 AM
Offline
Joined: Oct 2013
Posts: 6
Dr_Rul: do you have any example of exploits that would prevent?
 
Oct 12, 2013 7:48 AM

Offline
Joined: Aug 2012
Posts: 10039
I bet you, MAL staff won't read that, but: Adding a white list and black list is NOT going to work.

Why?

Well, adding a white list would cause many images to not load just because... they are not on the white list.

And adding a black list is totally useless. The bad person can upload the gore images at other websites. As example, if you are using Lightshot, you can simply press PRINTSCREEN, select the are you want to save, and the program automatically uploads the are you selected at PRNTSCR website (a very famous website for printscreens). Doing so would bypass the blacklist system.

Is there a solution? I don't think so.
 
Oct 12, 2013 1:09 PM

Offline
Joined: Jul 2012
Posts: 47020
Why not have a um...Approval system? Let mods (or three random users) approve of an image before it is published in a signature.

☆☆☆☆☆☆☆☆☆☆☆☆☆


watch nodame cantabile

recommend me anything!
 
Oct 12, 2013 1:11 PM

Offline
Joined: Nov 2010
Posts: 26478
mayukachan said:
Why not have a um...Approval system? Let mods (or three random users) approve of an image before it is published in a signature.
What is this about?
 
Oct 12, 2013 1:15 PM

Offline
Joined: Jul 2012
Posts: 47020
IntroverTurtle said:
mayukachan said:
Why not have a um...Approval system? Let mods (or three random users) approve of an image before it is published in a signature.
What is this about?

What do you mean? It's exactly as it says.

☆☆☆☆☆☆☆☆☆☆☆☆☆


watch nodame cantabile

recommend me anything!
 
Oct 12, 2013 1:17 PM

Offline
Joined: Mar 2013
Posts: 5834
mayukachan said:
IntroverTurtle said:
mayukachan said:
Why not have a um...Approval system? Let mods (or three random users) approve of an image before it is published in a signature.
What is this about?

What do you mean? It's exactly as it says.

Let me ask in more specific. What do you mean by "three random users"? That would never work out, nor would take action in the first place.
I guess having the Moderators approve the images would be an option, but looking at everyone who would want their signatures updated, that would just take too much time.
Not to mention that enabling such a thing, or even inputting it in the first place would take time away.

The quickest and most efficient way I see is to wait a bit until the BBCodes are fully enabled everywhere again.
 
Oct 12, 2013 1:22 PM

Offline
Joined: Nov 2010
Posts: 26478
mayukachan said:
IntroverTurtle said:
mayukachan said:
Why not have a um...Approval system? Let mods (or three random users) approve of an image before it is published in a signature.
What is this about?

What do you mean? It's exactly as it says.
Are you wanting sigs back so you're thinking of asking mods or users to approve them before? First of all that is work for a problem that will eventually be resolved, signatures aren't even that important. And two there is probably a way to exploit that to do something bad. If I go to photobucket and delete one of the pics from my sig, upload a new one with the same name, then I can show a pic that wasn't approved on here. Idk exactly how someone can do something with code or whatever but that could be a way to exploit it.
 
Oct 12, 2013 1:27 PM

Offline
Joined: Jul 2012
Posts: 47020
IntroverTurtle said:
mayukachan said:
IntroverTurtle said:
mayukachan said:
Why not have a um...Approval system? Let mods (or three random users) approve of an image before it is published in a signature.
What is this about?

What do you mean? It's exactly as it says.
Are you wanting sigs back so you're thinking of asking mods or users to approve them before? First of all that is work for a problem that will eventually be resolved, signatures aren't even that important. And two there is probably a way to exploit that to do something bad. If I go to photobucket and delete one of the pics from my sig, upload a new one with the same name, then I can show a pic that wasn't approved on here. Idk exactly how someone can do something with code or whatever but that could be a way to exploit it.

Yeah, there's a way around everything. I know. :/ But even if a Blacklist is implemented, there's a way around that too.

SubPyroFlow said:
mayukachan said:
IntroverTurtle said:
mayukachan said:
Why not have a um...Approval system? Let mods (or three random users) approve of an image before it is published in a signature.
What is this about?

What do you mean? It's exactly as it says.

Let me ask in more specific. What do you mean by "three random users"? That would never work out, nor would take action in the first place.
I guess having the Moderators approve the images would be an option, but looking at everyone who would want their signatures updated, that would just take too much time.
Not to mention that enabling such a thing, or even inputting it in the first place would take time away.

The quickest and most efficient way I see is to wait a bit until the BBCodes are fully enabled everywhere again.

Three random users = I guess it could be displayed in the Panel page and be unique for every user. When BBCodes are back to normal and enabled for everyone and everywhere, the same problem will occur again. I think it's best to go from a different approach.

☆☆☆☆☆☆☆☆☆☆☆☆☆


watch nodame cantabile

recommend me anything!
 
Oct 13, 2013 8:27 PM

Offline
Joined: Feb 2013
Posts: 6008
Xinil said:
This only works on the original post (when we check authenticity of the data submitted). The offending user is able to manipulate what content is returned after we've 'approved' the image. For example, if I post , I can then modify .htaccess and instruct .php to render all .png file types, and then proceed t do whatever I want now.
Yes, that's correct. But that is the only viable option I can see to avoid the less desirable white-list-only option (you should still implement this so we can at least have some images back).

To get around things, someone would have to be serving images from thousands of servers that they have control of (or maybe through proxies to one server? hmmm). Otherwise MAL staff can just blacklist any site being used for exploits. The damage would be kept minimal, and in the event of an active attack, you can always revert to white-list only temporarily.

For the time being, I hope you can at least implement a white-list/black-list for image hosts. The gray area for other images is a much bigger issue, and can wait a bit longer.
 
Oct 14, 2013 7:20 PM

Offline
Joined: Mar 2013
Posts: 18
What's up with the full size advertisement blocking the top half to the screen?
 
Oct 14, 2013 8:07 PM

Offline
Joined: Sep 2013
Posts: 301
I know this's unrelated to the thread but, THE HUGELY BIG ADVERTISEMENT ON THE TOP is hindering me from making a thread or post about it, I can't even adjust my profile and stuff.
 
Oct 14, 2013 8:09 PM

Offline
Joined: Sep 2012
Posts: 4220
You have got to be kidding me...

https://chrome.google.com/webstore/detail/adblock-plus/cfhdojbkjhnklbpkdaibdccddilifddb?hl=en-US

There, that will solve your problems.
 
Oct 14, 2013 8:10 PM

Offline
Joined: Apr 2013
Posts: 14519
GKage said:
What's up with the full size advertisement blocking the top half to the screen?

what is adblock
yuh yuh yuh

 
Oct 14, 2013 8:10 PM
Offline
Joined: May 2012
Posts: 7021
Br4nd0nHeat said:
I know this's unrelated to the thread but, THE HUGELY BIG ADVERTISEMENT ON THE TOP is hindering me from making a thread or post about it, I can't even adjust my profile and stuff.
^ I've noticed too. Just Adblock it.
 
Oct 14, 2013 8:23 PM

Offline
Joined: Sep 2012
Posts: 671
GKage said:
What's up with the full size advertisement blocking the top half to the screen?

Yeah. I noticed it when I logged in from my computer. (I use laptop)
 
Oct 14, 2013 8:45 PM

Offline
Joined: Dec 2012
Posts: 1925
Hi. Why the [img] code is disabled ?

 
Oct 14, 2013 11:19 PM

Offline
Joined: Sep 2013
Posts: 228
-GiaN- said:
Hi. Why the [img] code is disabled ?

I am fairly new to this forum, but to keep it short, because of a hacker I presume.

btw, m'glad that my adblock is always on.
Newbie Blogger: http://animetaru.wordpress.com/

You know it's funny how freedom can make us feel contained
Yeah When the muscles in our legs aren't used to all the walking...
 
Oct 15, 2013 3:02 AM

Offline
Joined: Sep 2013
Posts: 301
Hata-tan said:
You have got to be kidding me...

https://chrome.google.com/webstore/detail/adblock-plus/cfhdojbkjhnklbpkdaibdccddilifddb?hl=en-US

There, that will solve your problems.


Thank you very much, I'm really bad at stuff like this. orz...
 
Oct 15, 2013 4:44 AM

Offline
Joined: Sep 2013
Posts: 21
Awesome, any updates as to when [IMG] will be back up and running because from what I know people that changed their signatures from the day it was deactivated have lost it and it becomes a pure bunch of sentences.

Hopefully we get it back soon?! :D
 
Oct 15, 2013 8:26 AM

Offline
Joined: Oct 2009
Posts: 7010
lupadim said:
I bet you, MAL staff won't read that, but: Adding a white list and black list is NOT going to work.

Why?

Well, adding a white list would cause many images to not load just because... they are not on the white list.


It's not too much effort to re-host the image on the white-listed host. After all, most imagehost could upload via url, you only have to give it the link.

IntroverTurtle said:
If I go to photobucket and delete one of the pics from my sig, upload a new one with the same name, then I can show a pic that wasn't approved on here. Idk exactly how someone can do something with code or whatever but that could be a way to exploit it.


Not really, Photobucket generate a random hash and append it at the end of the uploaded file name, and you can't rename your file once it was hosted. That is why I think it is safer using these sites. Of course someone can upload malicious image there, but then you will be able to coordinate with it's host to ban the user, delete the image, etc.

The downside of this is, most popular image host use bandwidth limit on their users. With the amount of page view in MAL forum, you would probably exceed it easily. Thus, making your image useless.
(One of the reason I delete my sig ..)

About the auto-changing signature, it's probably using a PHP script to rotate between images every time it was queried by the browser.
Modified by azzuRe, Oct 15, 2013 8:36 AM
 
Oct 16, 2013 12:17 AM

Offline
Joined: Sep 2012
Posts: 1336
why not instead of wasting your time on a white/blacklist for sites,
you simply make it you need a certain post count/account age to be able to post images?
or a combination of both?
all these tossers making dummy acounts to post gore shit wont be able to if you need, for example, a 3 month old account to be able to post images, or an account with x amount of posts.
that way even if someone attempts to go to all that effort, instead of losing 30 seconds of time making a new account, it will take months.
 
Top
Pages (29) « 1 2 [3] 4 5 » ... Last »