Bugtraq mailing list archives
Re: The Dangers of Allowing Users to Post Images
From: "Jeffrey W. Baker" <jwbaker () acm org>
Date: Fri, 22 Jun 2001 14:13:40 -0700 (PDT)
On Tue, 19 Jun 2001, John Percival wrote:
I'm going to try and throw another issue into this discussion now too: denial of service. We have discussed it for attacking remote servers, but not for the client viewing the image. It's something else that I spotted while I was playing around with this issue just now. If you have images that include a mailto:me () my host somewhere com source, then the default handler for mailto: links is opened up. Be that Outlook, Netscape Composer, Eudora, or whatever else you care to use. So if someone embedded 100 (arbitrary figure) mailto: images in a page, then this would do a lot of harm to the user's computer. At best, it would get very busy for a few minutes creating new emails, and would be a pain to clear up. At worst, it could bring the whole system crashing down.
This is a user agent problem. Since the mailto scheme can't be used to fetch an image, script, style sheet, object, or anything else, mailto URIs should be ignored in the img, object, link, script, and other elements. I just checked Mozilla and it ignores them. HTML is loaded with these kinds of hazards. <img src="file:///dev/zero">, microsoft's con\con problems, etc. Careful user agent design is required. -jwb
Current thread:
- Re: The Dangers of Allowing Users to Post Images, (continued)
- Re: The Dangers of Allowing Users to Post Images Sverre H. Huseby (Jun 15)
- Re: The Dangers of Allowing Users to Post Images Tim Nowaczyk (Jun 16)
- Re: The Dangers of Allowing Users to Post Images Henrik Nordstrom (Jun 18)
- Re: The Dangers of Allowing Users to Post Images peterw (Jun 19)
- Re: The Dangers of Allowing Users to Post Images Henrik Nordstrom (Jun 19)
- Re: never-ending Referer arguments (The Dangers of Allowing Users to Post Images) Peter W (Jun 19)
- Re: [BUGTRAQ] Re: never-ending Referer arguments (The Dangers of Allowing Users to Post Images) CDI (Jun 22)
- Re: The Dangers of Allowing Users to Post Images Tim Nowaczyk (Jun 16)
- Re: The Dangers of Allowing Users to Post Images John Percival (Jun 22)
- Re: The Dangers of Allowing Users to Post Images Michal Szokolo (Jun 24)
- Re: The Dangers of Allowing Users to Post Images Travis Siegel (Jun 25)
- Re: The Dangers of Allowing Users to Post Images Sverre H. Huseby (Jun 15)
- Re: The Dangers of Allowing Users to Post Images Jeffrey W. Baker (Jun 25)
- Re: The Dangers of Allowing Users to Post Images Sverre H. Huseby (Jun 19)
- Re: The Dangers of Allowing Users to Post Images Henrik Nordstrom (Jun 19)
- Re: The Dangers of Allowing Users to Post Images Brett Lymn (Jun 18)
- Re: The Dangers of Allowing Users to Post Images Marc Slemko (Jun 16)
- Re[2]: The Dangers of Allowing Users to Post Images Alexander K. Yezhov (Jun 16)