as you may have noticed the user @EggHuevo
managed to have an animated avatar.
This is so awesome that it deserves its own thread.
The question is how he managed to do that.
The problem with understanding I have right now is the following:
Allowed extensions for uploading the avatar are jpg, jpeg, gif, png, bmp, ico
First of all when you right click on the animated avatar of @EggHuevo
and choose to display
the graphic only, you will be referred to this site:https://lh5.googleusercontent.com/-svp7kM-mqf4/AAAAAAAAAAI/AAAAAAAAACc/GT8Z5PvQO34/photo.jpg
And you can notice two things:
1.) It ends on ".jpg" even though it's a .gif
You can check that in your browser with right click on the graphic and then show information about that graphic file.
Okay not much of a mystery he could have just changed the ending. So it's a .gif that hides as a .jpg
2.) The animation is not saved on the forum database.
And this is what I cannot get my head around.Everybody's
avatar is saved on the forum database.
You can check yourself, right click on your own avatar -> show graphic only and you will see (in my case) the address:https://us.v-cdn.net/5019558/uploads/userpics/166/pPNP28KVTI73Y.jpg
Every forum member's avatar is saved under an address like "....ssl.cf1.rackcdn.com/baldursgate.vanillaforums.com/userpics/..."
So my only conclusion is that he managed to inject executable code in a graphic file.
And that code refers to the external source "lh5.googleusercontent.com".
It's just a guess - but if that is true, then I think that is actually a secruity issue on this forum software.
Because it should never be possible to upload graphics with executable code inside.
Any other ideas? Thoughts? @Troodon80