Image validation on avatar uploads?

kyleroberson · 2008-04-02 20:34

kyleroberson
Junior Member
Offline

Registered: 2008-03-30
Posts: 4

Topic: Image validation on avatar uploads?

Hi,

Does PunBB perform validation on uploaded avatars?

The reason I ask is because I had a YaBB board back in the day where someone forged an image's mime type and was able to execute a php script similar to phpshell. This is also the only user accessible place on my site that allows for uploads.

I'm sure this has already been addressed, but I would feel better knowing the answer.

Thanks in advance,
Kyle

Smartys · 2008-04-02 20:50

Smartys
Former PunBB Developer
Offline

Registered: 2004-04-30
Posts: 7,844

Re: Image validation on avatar uploads?

You can see for yourself, the code is in profile.php. The answer is yes.
The only attack that is similar to that was a null byte vulnerability (an attacker with admin privileges could change the avatar path to a filename ending in .php%00 and upload an image with PHP embedded in it that could then be executed), but forging the mime type has no effect.

kyleroberson · 2008-04-02 21:24

kyleroberson
Junior Member
Offline

Registered: 2008-03-30
Posts: 4

Re: Image validation on avatar uploads?

Thanks for the quick answer. You guys are great.

Image validation on avatar uploads?

Posts: 3

1 Topic by kyleroberson 2008-04-02 20:34

Topic: Image validation on avatar uploads?

2 Reply by Smartys 2008-04-02 20:50

Re: Image validation on avatar uploads?

3 Reply by kyleroberson 2008-04-02 21:24

Re: Image validation on avatar uploads?

Posts: 3