Oolite Bulletins

Hi
I'm having problems uploading an avatar.
Is there a type of file it has to be? Trying .jpg
Image is 100X72 pix
Tried doing it straight to this site and tried using host URL.
Just get the wee box with X
The image is;


I must be missing something silly no doubt...

A

Alex wrote:

I must be missing something silly no doubt...

AFAIK there was a problem with the BBS that hackers would use the avatar function to store illegal and undesired material, thus it had to be turned off.

Screet

Thanks Screet at least I know I.m only a wee bit silly then.
But what does AFa... as I typed it I got it.
How can someone store stuff in an avatar?
On second thought Na I don't wont to know that.

A

Screet wrote:

AFAIK there was a problem with the BBS that hackers would use the avatar function to store illegal and undesired material, thus it had to be turned off.

Screet

Then how did those people with avatars get them?

We got'em before Ahruman had to lock that bit of the BB down.

AFAIK = As Far As I Know

Wouldn't a sanity-check for file size and type be enough to prevent that kind of abuse? Seems to me that ought to be a standard feature of any BB software. Heck, any code I ever wrote always checked user input for validity before accepting it... and that was 20 years ago...

Diziet Sma wrote:

Wouldn't a sanity-check for file size and type be enough to prevent that kind of abuse? Seems to me that ought to be a standard feature of any BB software. Heck, any code I ever wrote always checked user input for validity before accepting it... and that was 20 years ago...

If security and sanity were a goal, it wouldn’t be written in PHP… but I, for one, have no interest in taking on BB software as yet another side project. :-)

(Actually, come to think of it, the phpBB people blamed the problem on some other piece of software, which may or may not also be running on Giles’s server; I asked, but didn’t get a reply. File size isn’t relevant, since the problem was a small set of scripts.)

how about setting a time when everyone can change they're avatars, then locking them again?

Yodeebe wrote:

how about setting a time when everyone can change they're avatars, then locking them again?

This would be nice.

What about enabling THIS option in the phpBB settings?


Another forum I hang out on which also uses phpBB allows you to link to an avatar stored offsite.. it seems to me this would solve the problem in a way that's of no use to hackers.

Actually it is...

I'm a malicious hacker. I create a JPG or other image that has known exploits, and include the exploit. I host it via Flickr, Photobucket, or Bill & Ted's Excellent Photo Hosting Service. I set this as my Avatar. And I start posting all over the forums....

Unfortunately, that makes a lot of sense.

Also, I discovered that this forum has a set of avatars already uploaded. That's where my current, very nice one comes from. Is it possible that we could submit avatars of a similar style to the admins for approval and have them added to the list?

Nemoricus wrote:

Unfortunately, that makes a lot of sense.

Yes, sadly, I have to agree..

Nemoricus wrote:

Also, I discovered that this forum has a set of avatars already uploaded. That's where my current, very nice one comes from. Is it possible that we could submit avatars of a similar style to the admins for approval and have them added to the list?

This would work for me...

Alex wrote:

How can someone store stuff in an avatar?

<tech>
When a programmer fails to write the required checks :>, a bunch of malicious data can be used to overvride (almost)wildly a memory area succeeding in getting some evil code executed, it's a bit of wizardry that
requires to know low level computer programming.

BTW, Apple iPhones an iPod Touch where jailbroken this way...
</tech>

Sniff, I miss Eastern Gianozia People Republic Ltd. crest ); ...