Title: phpBB remote avatar size bug Software: phpBB 2.0.17 (and maybe prior versions) Discovered by: David Sopas Ferreira < david at systemsecure dot org > Original link: http://www.systemsecure.org/ssforum/viewtopic.php?t=272 » Email from phpBB « Your report "Avatar size" has been closed because your reported issue is invalid. Classifying a report as invalid can have various reasons, most of the time the report is incomplete. If you think your report has been handled incorrecly, please submit another report at http://www.phpbb.com/security/index.php. Comment added by team member: This isn't a security problem. You can do the same thing with a standard webpage. As for checking remote avatar size, there are several inherit problems with that, which I won't detail here. As this isn't a security problem, closing. » End Of Mail - « » My personnal opinion: I think this is a minor security problem. A malicious user can use larger images (for example: 1280px - 1024px) to almost damage the entire view of a topic. This, to be done, has to have Remote Avatar selected. So, if the admins don't consider this a minor security problem, what is it? A "special" feature? I don't want to criticize the phpBB coders, but why is it dificult to check out the size of a image and telling the user that that size of image it's not possible, or even block the size on the viewtopic table, something like that. » Possible solution: Disable remote avatar or just dig in the code to set the image size you want.
