WebApp Sec mailing list archives
Re: [Full-disclosure] Re: BBCode [IMG] [/IMG] Tag Vulnerability
From: Christopher Kunz <chrislist () de-punkt de>
Date: Mon, 22 Aug 2005 21:51:52 +0200
Paul Laudanski wrote:
image/jpeg image/pjpeg image/tiff So there are a couple avenues one can take in assessing if the file that [IMG][/IMG] is rendering is indeed an image.
If you aren't planning on doing this every time the remote image is accessed, how are you going to stop the attacker from showing the forum server an actual image when it verifies the image location - and launch a CSRF attack on the end user? It's kinda easy to do with $_SERVER['REMOTE_ADDR'], and if I were to exploit a CSRF issue, I'd go for that. You can even automate it quite easily. If, OTOH, your forum verifies the image each time, there is still the danger that the forum sees something different than the user gets. The only 100% way would be to completely download the image in question to the forum server, check if it really is an image, and then stream back _exactly_ that image to the client, rewriting remote image URIs to local ones. But there's a whole bag of new problems with that approach. At least IMHO, there's no real mitigation for CSRF attack vectors in the catalyzing script (i.e., the forum or something), but all vulnerabilities need to be fixed in the victim script, by having people log out via POST, not GET, have security questions in front of security relevant actions like password change, etc. Or, you could just disallow remote images altogether. It kinda boils down to a security vs. feature set question... --ck
Current thread:
- Re: BBCode [IMG] [/IMG] Tag Vulnerability Paul Laudanski (Aug 22)
- Re: [Full-disclosure] Re: BBCode [IMG] [/IMG] Tag Vulnerability Christopher Kunz (Aug 22)
- Re: BBCode [IMG] [/IMG] Tag Vulnerability Paul Laudanski (Aug 22)
- <Possible follow-ups>
- Re: BBCode [IMG] [/IMG] Tag Vulnerability Tony Stahler (Aug 23)
- Re: BBCode [IMG] [/IMG] Tag Vulnerability Zak McGregor (Aug 23)
- Re: BBCode [IMG] [/IMG] Tag Vulnerability Christopher Kunz (Aug 23)
- Re: BBCode [IMG] [/IMG] Tag Vulnerability Paul Laudanski (Sep 08)
- Re: BBCode [IMG] [/IMG] Tag Vulnerability Christopher Canova (Aug 27)
- Re: [Full-disclosure] Re: BBCode [IMG] [/IMG] Tag Vulnerability Christopher Kunz (Aug 22)