Disabling Option 1 - Enter the URL to the Image on Another Website:

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Miykichii
    Senior Member
    • Oct 2007
    • 212
    • 3.6.x

    Disabling Option 1 - Enter the URL to the Image on Another Website:

    Hi Vbulletin,

    How can i disable this option for my avatar and user profile upload mode. Does this option gets uses any where else for vb 4.2.1 other than the avatar and user profile ? I'd like to disable it globally for my vb forum.
    If you like these ideas, vote for them! (:

    http://tracker.vbulletin.com/browse/VBV-12406 (Blogs & Articles redesign)
    http://tracker.vbulletin.com/browse/VBV-12379 (Group redesign)
    http://tracker.vbulletin.com/browse/VBV-12337 (Members Feeds)
    http://tracker.vbulletin.com/browse/VBV-12676 (Media tab & Album)
    http://tracker.vbulletin.com/browse/VBV-12698 (Notification system)
    http://tracker.vbulletin.com/browse/VBV-12663 (Members list redesign)
  • BirdOPrey5
    Senior Member
    • Jul 2008
    • 9613
    • 5.6.3

    #2
    I don't believe there is anyway to disable just that setting but to allow uploading of custom avatars.

    For attachments in Admin CP -> Settings -> Options -> Message Attachment Options -> Attachment URL Inputs -> set to zero.

    Comment

    • Miykichii
      Senior Member
      • Oct 2007
      • 212
      • 3.6.x

      #3
      Originally posted by Joe D.
      I don't believe there is anyway to disable just that setting but to allow uploading of custom avatars.

      For attachments in Admin CP -> Settings -> Options -> Message Attachment Options -> Attachment URL Inputs -> set to zero.
      Hi Joe, setting it to zero didn't remove this option 1 at all for profile or avatar upload via URL. This option is terrible, it can leak your server ip for attacks even if you're protected behind CF http://blog.cloudflare.com/ddos-prev...ing-the-origin

      "Never initiate an outbound connection based on user action

      If the attacker can get your web server to connect to an arbitrary address, they will reveal your origin IP. Features like "upload from URL" that allow the user to upload a photo from a given URL should be configured so that the server doing the download is not the website origin server."

      I can find Vbulletin direct server IP if i wanted to via this feature. Vb.com don't have that feature for vb 5.x but Vb.org has it on its forum and both sites are on the same server as vb.com. This is a very bad feature. Is there a way to disable it ?
      If you like these ideas, vote for them! (:

      http://tracker.vbulletin.com/browse/VBV-12406 (Blogs & Articles redesign)
      http://tracker.vbulletin.com/browse/VBV-12379 (Group redesign)
      http://tracker.vbulletin.com/browse/VBV-12337 (Members Feeds)
      http://tracker.vbulletin.com/browse/VBV-12676 (Media tab & Album)
      http://tracker.vbulletin.com/browse/VBV-12698 (Notification system)
      http://tracker.vbulletin.com/browse/VBV-12663 (Members list redesign)

      Comment

      • Miykichii
        Senior Member
        • Oct 2007
        • 212
        • 3.6.x

        #4
        Actually nvm, VB 5.x has that feature as well.
        If you like these ideas, vote for them! (:

        http://tracker.vbulletin.com/browse/VBV-12406 (Blogs & Articles redesign)
        http://tracker.vbulletin.com/browse/VBV-12379 (Group redesign)
        http://tracker.vbulletin.com/browse/VBV-12337 (Members Feeds)
        http://tracker.vbulletin.com/browse/VBV-12676 (Media tab & Album)
        http://tracker.vbulletin.com/browse/VBV-12698 (Notification system)
        http://tracker.vbulletin.com/browse/VBV-12663 (Members list redesign)

        Comment

        • punchbowl
          Senior Member
          • Nov 2006
          • 3903
          • 4.0.x

          #5
          I'd edit out all references in the templates. e.g.modifyprofilepic. modifyavatar

          Comment

          • Miykichii
            Senior Member
            • Oct 2007
            • 212
            • 3.6.x

            #6
            Originally posted by punchbowl
            I'd edit out all references in the templates. e.g.modifyprofilepic. modifyavatar
            I think i will do this Disable allow url_fopen, and curl in php and modify those templates above, i didn't see this option in other places though.

            If you like these ideas, vote for them! (:

            http://tracker.vbulletin.com/browse/VBV-12406 (Blogs & Articles redesign)
            http://tracker.vbulletin.com/browse/VBV-12379 (Group redesign)
            http://tracker.vbulletin.com/browse/VBV-12337 (Members Feeds)
            http://tracker.vbulletin.com/browse/VBV-12676 (Media tab & Album)
            http://tracker.vbulletin.com/browse/VBV-12698 (Notification system)
            http://tracker.vbulletin.com/browse/VBV-12663 (Members list redesign)

            Comment

            • BirdOPrey5
              Senior Member
              • Jul 2008
              • 9613
              • 5.6.3

              #7
              Originally posted by Miykichii

              Hi Joe, setting it to zero didn't remove this option 1 at all for profile or avatar upload via URL. This option is terrible, it can leak your server ip for attacks even if you're protected behind CF http://blog.cloudflare.com/ddos-prev...ing-the-origin

              "Never initiate an outbound connection based on user action

              If the attacker can get your web server to connect to an arbitrary address, they will reveal your origin IP. Features like "upload from URL" that allow the user to upload a photo from a given URL should be configured so that the server doing the download is not the website origin server."

              I can find Vbulletin direct server IP if i wanted to via this feature. Vb.com don't have that feature for vb 5.x but Vb.org has it on its forum and both sites are on the same server as vb.com. This is a very bad feature. Is there a way to disable it ?
              Frankly, 99.9% of customers don't care if their IP address is public- and that includes us at vBulletin.com. We're not trying to hide it. DDoS attacks are annoying but trying to hide your IP isn't a serious solution- the biggest websites in the world face DDoS attacks- if hiding their IP was the solution don't you think they'd be doing that?

              Comment

              • punchbowl
                Senior Member
                • Nov 2006
                • 3903
                • 4.0.x

                #8
                Yep security through obscurity is no security at all.

                Comment

                • Miykichii
                  Senior Member
                  • Oct 2007
                  • 212
                  • 3.6.x

                  #9
                  Originally posted by Joe D.

                  Frankly, 99.9% of customers don't care if their IP address is public- and that includes us at vBulletin.com. We're not trying to hide it. DDoS attacks are annoying but trying to hide your IP isn't a serious solution- the biggest websites in the world face DDoS attacks- if hiding their IP was the solution don't you think they'd be doing that?
                  I am not concern about what other big websites do, each site is different, each attack type is different. When you know the attacker uses a specific attack that has advantages and disadvantages, then your best bet is to be able to block that type of attack when you know its weaknesses. You don't need to worry about the other types for now but even thus, the other types might not be that harmful to deal with. It really comes down to who is targeting you and whether you know they have stronger or weaker tools.

                  Take UDP ddos attack, they are the cheapest to launch but annoying to block if you have an ip leakage or can afford a server with good ddos protection = $$.

                  There are certain attacks that can only be used directly against your server ip if they know it, if they don't know the server ip, they might use different type of attacks which they either can or can't have the capability to launch them, also can and can't be easy to mitigate but on Cloudflare's part, there is a reason why they advise hiding the ip and prevent ip leakage. It is because they can deal with many types of attacks but once your ip is leaked, they can't do anything, it has to be on the server side and that would be whether you have a provider with a solid ddos protection or not.

                  Originally posted by punchbowl
                  Yep security through obscurity is no security at all.
                  @punchbowl, it is not obscurity because you're doing your part in term of protection against certain type of attacks. CF doesn't share articles like this for fun http://blog.cloudflare.com/ddos-prev...ing-the-origin

                  @Joe, with what VB is doing, they are increasing their chances for attacks, that is all. That is their choice, definitely not mine nor other customers in the same position You have the expenses, feel free to buy 3k+ server a month with a ddos mitigation plan. People usually can't speak about problems they haven't faced before.
                  Last edited by Miykichii; Mon 1 Sep '14, 12:30pm.
                  If you like these ideas, vote for them! (:

                  http://tracker.vbulletin.com/browse/VBV-12406 (Blogs & Articles redesign)
                  http://tracker.vbulletin.com/browse/VBV-12379 (Group redesign)
                  http://tracker.vbulletin.com/browse/VBV-12337 (Members Feeds)
                  http://tracker.vbulletin.com/browse/VBV-12676 (Media tab & Album)
                  http://tracker.vbulletin.com/browse/VBV-12698 (Notification system)
                  http://tracker.vbulletin.com/browse/VBV-12663 (Members list redesign)

                  Comment

                  • BirdOPrey5
                    Senior Member
                    • Jul 2008
                    • 9613
                    • 5.6.3

                    #10
                    With all respect to Cloudflare they are not the end-all when it comes to internet security- vBulletin is great in that you can customize it to work how you want it to work. A few template edits and you can remove all trace of the upload via URL options. Combine that with disabling the function in PHP and you'll have your setup the way you like it.

                    Comment

                    • kpmedia
                      Member
                      • Aug 2007
                      • 42
                      • 3.8.x

                      #11
                      Originally posted by Joe D.
                      I don't believe there is anyway to disable just that setting but to allow uploading of custom avatars..
                      You have to edit the core files.

                      ~
                      ~ If you're using vB, you need a good host! Read my web hosting reviews.
                      ~
                      ~ Forum: Digital Video / Digital Photo / Web Design @ digitalFAQ.com
                      ~ Forum: DVD & Blu-ray Collecting @ TVPast.org
                      ~

                      Comment

                      • Wayne Luke
                        vBulletin Technical Support Lead
                        • Aug 2000
                        • 73981

                        #12
                        Originally posted by kpmedia
                        You have to edit the core files.
                        That isn't something that is supported.
                        Translations provided by Google.

                        Wayne Luke
                        The Rabid Badger - a vBulletin Cloud demonstration site.
                        vBulletin 5 API

                        Comment

                        Related Topics

                        Collapse

                        Working...