Bugtraq mailing list archives
Re: The Dangers of Allowing Users to Post Images
From: "Chris Lambert" <clambert () gamespy com>
Date: Thu, 14 Jun 2001 21:09:16 -0400
The interesting part of this bug is the fact that its exploitable on some very large sites, and is open to a large number of users. Bulletin boards in particular allow inline image posting, and this is what creates the problem...inline images in a system with cookie based authentication. EZBoard, UBB, and IkonBoard are all big time products, and are open to both sides of the vulnerability within the programs. A ticket solution would work, but wouldn't be any more helpful than checking for POST vs. GET. JavaScript, IIRC, can access form elements in another page. So, I could simply load poll_questions.php into a frame, check the values of the hidden <input> tags, and then create a POST submission using that ticket. The reason for the POST vs. GET fix is that bulletin board users can't create HTTP POST transmissions from within the forums. The vulnerability lies in the fact that the two sides of the hole are so closely related, whereas in a JavaScript enabled web page, it would be a form on ServerA posting to a form on ServerB. While it would still work, the user would have to somehow access the external page. Inline images force everyone who views the forum to access the "page", without them having to click on a link taking them to a remote server. This technique has more issues than just false authentication, though, and could possibly be used towards distributed DoS type attacks. Some forums have 50k+ users, and each user who viewed a certain thread could be accessing some resource intensive script on a remote server. If posted on several highly trafficed forums, the victimized server would go down in no time. -- WhiteCrown Networks - Web Application Security www.whitecrown.net - services () whitecrown net ______________________________ / Chris Lambert - cjlambert () home com |-> ICQ #: 16435685 - AIM: ClipperChris `-> Cell: (401) 743-2786 - http://sms.clambert.org/
Current thread:
- Re: The Dangers of Allowing Users to Post Images, (continued)
- Re: The Dangers of Allowing Users to Post Images Henrik Nordstrom (Jun 19)
- Re: The Dangers of Allowing Users to Post Images Brett Lymn (Jun 18)
- RE: The Dangers of Allowing Users to Post Images Richard M. Smith (Jun 15)
- Re: The Dangers of Allowing Users to Post Images Marc Slemko (Jun 16)
- Re[2]: The Dangers of Allowing Users to Post Images Alexander K. Yezhov (Jun 16)
- Re: The Dangers of Allowing Users to Post Images Ben Gollmer (Jun 15)
- Cross-Site Request Forgeries (Re: The Dangers of Allowing Users to Post Images) Peter W (Jun 15)
- Re: The Dangers of Allowing Users to Post Images David Dreezer (Jun 15)
- Re: The Dangers of Allowing Users to Post Images Chris Lambert (Jun 15)
- Re: The Dangers of Allowing Users to Post Images Ryan Kennedy (Jun 16)
- Re: The Dangers of Allowing Users to Post Images Chris Lambert (Jun 15)
- Re: The Dangers of Allowing Users to Post Images Chris Lambert (Jun 15)
- Re: The Dangers of Allowing Users to Post Images Peter W (Jun 16)
- Message not available
- Message not available
- Re: The Dangers of Allowing Users to Post Images Jason Brooke (Jun 18)
- Re: The Dangers of Allowing Users to Post Images Peter W (Jun 16)