Thread

I had this very same problem with my forums. And it came out that with certain imagehandling softwares when saving the file, it makes some “bad” 101010’s to file what keeps them be “against” the rules of XSS with EE.

If i remember right, one sofware in my case was photoshop elements and when saving as. I dont remember anymore was it cleared when people saved their files “for web”. But this was/is known issue for me too, or should i say, to my forum users!

Cheers:
- Tuittu

Be sure to use the very latest version of the forum. There were some updates in that area.

Ingmar you replied to me? You mean there were updates for “better handling”? I updated my forums some days ago! As you can always see what versions or builds i run with, from my sig.

This one triggered the “wrong MIME type” response, too:

http://idioom.eu/images/uploads/souvenirs/black_sand.jpg

*edit* a bit more info: After turning off XSS filtering I was able to upload the image as a non logged in user of the site. Now I am worried about security implications…

What build are you running docflo?  Examining that file in a text editor, nothing jumps forward as setting off a false positive in the latest filter.

Ingmar you replied to me? You mean there were updates for “better handling”? I updated my forums some days ago! As you can always see what versions or builds i run with, from my sig.

No, just a general comment.

Newest build. 1.6.4 - 20080710

This is happening on a core version install, but I might run into this problem when I upgrade my commercial version install to 1.6.4.

On http://idioom.eu/en/souvenirs/submit/ I am letting people send me an image via a freeform. I then review the entries and post them to the site if they are ok. Would I recognize an XSS-prepared image? Do they look like a normal image or would they appear broken?

As far as security is concerned (and XSS is obviously a big part of that) there is no difference between EE Core and the full version. Images sucessfully posted by you or one of your users would never appear broken: either EE lets you upload them, or not. As a Superadmin you are exempt from these checks anyway, and you can also turn off this behavior (although we do not recommend that). It all depends on the image. Meta data might be an issue, for example.

Yes, metas of pictures were the problem in my issue. And those again, where “wrong” because of the softaware and savingtype of images. That was only in forums tho, havent had any problems with uploading but my users dont upload nothing via SAEF.

Hope you get the things going there!

Cheers:
- Tuittu

As far as security is concerned (and XSS is obviously a big part of that) there is no difference between EE Core and the full version. Images sucessfully posted by you or one of your users would never appear broken: either EE lets you upload them, or not. As a Superadmin you are exempt from these checks anyway, and you can also turn off this behavior (although we do not recommend that). It all depends on the image. Meta data might be an issue, for example.

All images that appear on the site are reviewed by me. Would I be able to see that an image a user has sent to me via the form has been tampered with? Would it appear broken?

What exactly are you doing with the images? Uploading them yourself? They’d then get checked anyway—unless you are logged in as a Suepradmin.

Yep, I am uploading them myself as Superadmin.

Some more info on the image: My user says that he tried uploading two versions of the image: the first was saved for web in Photoshop and the second just saved normally in Photoshop. Both triggerd the MIME type warning.

Hey docflo.

Sometimes the images will appear broken, and sometimes they will appear as normal images. Are you able to email me the images in question?  Let me take a look and I’ll see what’s triggering them and see if we can come up with a solution for you here.  If you email (.(JavaScript must be enabled to view this email address)) please include the url to this thread so I can keep things in context.

Thanks! I emailed you the image in question.

Thanks sir.  I can immediately see what is triggering the false positive.  Sorry for the inconvenience.  We’re working on a way to reduce the number of false positive flagged, and if I come up with something that will work for you I’ll be sure to let you know.  For now though, there is no way we can let this image through without crippling the security of EE.  I’m sorry.