Gentoo Forums

The sigs that have images are presenting strange numbers after the "img" tags, like this:
Mine is presenting too, but I don't know why.

I seems some kind of style or something, maybe phpbbuses this to adjust the presentation of the img, and there's some bug...

we have temporarily disabled the use of [img] on our board. More details will be released at a later time.

--kurt

klieber wrote:we have temporarily disabled the use of [img] on our board. More details will be released at a later time.

--kurt

Roger

Does this have anything to do with hotlinking image avatars? I just noticed that seems to also have been disabled :'(.

I didn't realise you could do that without modding the vanilla phpBB code

Squinky86 wrote:Does this have anything to do with hotlinking image avatars? I just noticed that seems to also have been disabled :'(.

I noticed this too when I visited the forum today... My image had disappeared and it took me a while to find out the real reason, as I suspected it to be the webserver first. I just wanted to start a new thread because of this, but I see that someone else has already mentioned it... Any comments from the Admins yet?

regards,
airflow

airflow wrote:Any comments from the Admins yet?

klieber is pretty sure that, just a few hours earlier, he wrote:we have temporarily disabled the use of [img] on our board. More details will be released at a later time.

--kurt

hehe, he meant for the hotlinking of avatars, not for the IMG tags, which I thought may be inter-related, so I added them to this thread instead of making a new one. Sorry for not making a seperate thread
Edit: Unless my slow mind didn't pick up that the hotlinking of avatars was only disabled temporarily, also?

airflow wrote:I suspected it to be the webserver first.

Same here. I think we just need to wait and they'll give us details later.

well i've started getting complaints about it in my sig so i think we would like those details ASAP

viperlin wrote:well i've started getting complaints about it in my sig so i think we would like those details ASAP

Chances are, we will not be releasing details in the near future (next 2 weeks or so). I suggest you change your sig for now.

--kurt

Some non-details then?

They have been disbled because of abuse?
Instabillity?
Rudeness, BandWidth, Estetic feeling, powertrip, flamewars, principle?

But to limit something like this (not really important) and not give any info seems kind of... uh.. silly to me. If there was any discussion that led to disabling them just post a link.

I can accept pretty much any explanation... except no explanation. 2 weeks to explain? Too long unless you give us a statement at least.

And how long is temporarily? As long as For the time being? Or half of eternity?

Oh... I'm nagging. Sorry, I'll leave for now

aridhol wrote:But to limit something like this (not really important) and not give any info seems kind of... uh.. silly to me. If there was any discussion that led to disabling them just post a link.

I call this behaviour "childish". But "silly" fits well, too.

regards,
airflow

If it is a security vulnerability, it makes sense not to release any further information until the bugfixes are available. But it is up to the sysadmins to do whatever they think it's the best in this situation. From what I know of them, they wouldn't keep it undisclosed unless there was a very good reason for it.

BTW, all I know about the issue I have learned from this thread.

Maybe we should just ban images from the sigs, then we wouldn't have people complaining about the lack of information on the issue.

pilla wrote:Maybe we should just ban images from the sigs, then we wouldn't have people complaining about the lack of information on the issue.

I was trying to stay out of this since I felt like things could get a little rude in here, but I was just trying to point out that the avatar hotlinking was offline, too. I really didn't mean to start anything.

Gentoo has some of the best admins in the world. I trust them to do the right thing. They'll tell us what we want to know when it's time for us to know it. Just be patient, guys (and maybe a girl or two, if we're lucky)!

Pilla: There are plenty of members of the Gentoo community willing to help should you ask, but if you or any of the other admins don't want any information public, that's understandable, too.

I am just a moderator -- I can move, erase, edit threads, but only using the phpBB moderator interface. I have no access to the inner workings of the system. This is exclusivity of our sysadmins, like rac, pjp, klieber and masseya.

And as I stated before, I don't know why the images were disabled in the sig.

most often, it is a bandwidth issue, or off-linking images from other sites, and
those sites might complain.

just have a text sig, works for me

You should have seen the Dell forums in the glory days. People had large java applets in their sigs. If you entered a large thread on an old computer, you'd lock up. Finally dell killed about 99% of the allowed html tags. Some were fun, like iframe, embed, or if you wanted to really screw up a thread, throw a bunch of /td's and /tr's

When I ran a phpBB2 forum, I removed all html restrictions so that the disappointed Dell forum users could still use their java applets and other fun stuff.

Occasionally I had to warn users for forgetting to close their tags and causing the posts to move all over the place.

another fun one was </script>

pilla wrote:If it is a security vulnerability, it makes sense not to release any further information until the bugfixes are available.

They don't have to release information about how it was done, just that it was a security vulnerability.

And it's not just in sigs, it's anywere the [img]-tag can be used.

Could it be related to this, or is this a tad too old? What version of phpBB is forums.gentoo.org using?

http://www.securityfocus.com/bid/4379/info/

Edit: I think I just discovered it was 2.0.4 as of last January, so I guess it's definitely phpBB2 then? A related problem perhaps?

meowsqueak wrote:Could it be related to this, or is this a tad too old? What version of phpBB is forums.gentoo.org using?

http://www.securityfocus.com/bid/4379/info/

Edit: I think I just discovered it was 2.0.4 as of last January, so I guess it's definitely phpBB2 then? A related problem perhaps?

it says at the bottom of the page, version 2.0.6, so yes thats a little over a "tad" old

Yes, but the problem could be similar. Maybe a way of embedding malicious code in an image has been found, that can work its way around the prevention schemes in phpBB2? I'm just speculating really.

Am I the only one here who 's actually /happy/ that they are disabled?
Large bloated sigs all come from satan and are the harbringers of Gehenna *sage nod*

Atleast they make you look like you're just in from the counterstrike forums... :-P