Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Categories

Axis & Allies 1942 Online is now available in Early Access! Buy it on Steam. The FAQ is available.
New Premium Module: Tyrants of the Moonsea! Read More
Attention, new and old users! Please read the new rules of conduct for the forums, and we hope you enjoy your stay!

Animated Avatar

ShandyrShandyr Member Posts: 8,263
Hey everyone,

as you may have noticed the user @EggHuevo managed to have an animated avatar.
This is so awesome that it deserves its own thread.

The question is how he managed to do that.

The problem with understanding I have right now is the following:
Allowed extensions for uploading the avatar are jpg, jpeg, gif, png, bmp, ico

First of all when you right click on the animated avatar of @EggHuevo and choose to display
the graphic only, you will be referred to this site:

https://lh5.googleusercontent.com/-svp7kM-mqf4/AAAAAAAAAAI/AAAAAAAAACc/GT8Z5PvQO34/photo.jpg

And you can notice two things:
1.) It ends on ".jpg" even though it's a .gif
You can check that in your browser with right click on the graphic and then show information about that graphic file.
Okay not much of a mystery he could have just changed the ending. So it's a .gif that hides as a .jpg

2.) The animation is not saved on the forum database.
And this is what I cannot get my head around.
Everybody's avatar is saved on the forum database.
You can check yourself, right click on your own avatar -> show graphic only and you will see (in my case) the address:
https://us.v-cdn.net/5019558/uploads/userpics/166/pPNP28KVTI73Y.jpg

Every forum member's avatar is saved under an address like "....ssl.cf1.rackcdn.com/baldursgate.vanillaforums.com/userpics/..."

So my only conclusion is that he managed to inject executable code in a graphic file.
And that code refers to the external source "lh5.googleusercontent.com".

It's just a guess - but if that is true, then I think that is actually a secruity issue on this forum software.
Because it should never be possible to upload graphics with executable code inside.

Any other ideas? Thoughts? @Troodon80 maybe?

JuliusBorisovAnduin
«1

Comments

Sign In or Register to comment.