1
Bananadude
a security question
  • 2005/12/16 21:12

  • Bananadude

  • Not too shy to talk

  • Posts: 155

  • Since: 2005/9/16


it's possible to make malicious code, rename the file to a picture-extension and upload it to an server and execute the code if the system isn't safe enough.
But if you deactivate uploading-feature you will be safe from that type of attacks..or will you?
I'm just wondering if an attacker upload the malicious code to another server or a free image hosting for instance, and then go to your site, registering, includes this "picture" to his/her signature and makes some posts in the forum or any other module where the signature will be included..
if you also have cache enabled for that module where the posts with his/her malicious file in the signature was included, is it possible that the server may be in risk in this way then? Just asking, since the cache-folder has to be chmoded 777 and the content maybe is saved in the cache-folder on the server.
Can s/he execute the code if it's done in this way?

Best Regards,
Bananadude
--- censored by Bananadude ---

2
Will_H
Re: a security question
  • 2005/12/16 22:08

  • Will_H

  • Friend of XOOPS

  • Posts: 1786

  • Since: 2004/10/10


Even if they did execute, the only reminents on your server are a ghost, a cc. The free host would be the victim, or atleast thats what i have come to understand. I think that this is a decent question as far as security goes. So consider this a long winded bump.

3
Bananadude
Re: a security question
  • 2005/12/16 22:13

  • Bananadude

  • Not too shy to talk

  • Posts: 155

  • Since: 2005/9/16


But if the attacker is not only placing a link to view the "image", it's been included in his/her signature/post/whatever.
Wouldn't that code be saved in the xoops-cache (if enabled) and serving a possible threat then?
--- censored by Bananadude ---

4
Will_H
Re: a security question
  • 2005/12/16 22:27

  • Will_H

  • Friend of XOOPS

  • Posts: 1786

  • Since: 2004/10/10


TBH im not sure. If it were that easy to impose and threaten servers you would think it would have been done by now.

5
Bananadude
Re: a security question
  • 2005/12/16 22:40

  • Bananadude

  • Not too shy to talk

  • Posts: 155

  • Since: 2005/9/16


Maybe, maybe not. I don't know, thats why I'm asking, but thank you very much for your reply

Best Regards,
Bananadude
--- censored by Bananadude ---

Login

Who's Online

312 user(s) are online (219 user(s) are browsing Support Forums)


Members: 0


Guests: 312


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits