1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 8:30 am May 2, 2026

Forum Moderators: coopster

Message Too Old, No Replies

Avatar Script Insertion Vulnerability (Security)

         

dcabbar

4:54 am on Mar 27, 2007 (gmt 0)

10+ Year Member



Hi All,

Looking at [secunia.com...] , it seems possible to embed javascript in images in a special way.

So, if a user provides an avatar or an image url like this pointing to an external site, they will be able to hack accounts.

Do you know how this can be avoided? And/or, how sites like vbulletin/phpbb/smf type of applications protect users from this?

Thanks.

jatar_k

3:09 pm on Mar 27, 2007 (gmt 0)

WebmasterWorld Administrator 10+ Year Member



>> Do you know how this can be avoided?

don't allow avatars

whoisgregg

7:38 pm on Mar 27, 2007 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



It should also be possible to avoid the problem by rebuilding uploaded avatars via processing through the image functions [php.net]. Don't trust that an uploaded file is what they say it is.

For example, if they upload a .gif file (rather than just moving the uploaded gif to your public web folder) you would use imagecreatefromgif [php.net] then imagegif [php.net] to create the file that you end up putting in your public web folder.

 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 8:30 am May 2, 2026