Re: [Full-disclosure] Re: BBCode [IMG] [/IMG] Tag Vulnerability

[Christopher Kunz <chrislist () de-punkt de>]

Paul Laudanski wrote:

> image/jpeg
> image/pjpeg
> image/tiff
>
> So there are a couple avenues one can take in assessing if the file that 
> [IMG][/IMG] is rendering is indeed an image.

If you aren't planning on doing this every time the remote image is accessed,
how are you going to stop the attacker from showing the forum server an actual
image when it verifies the image location - and launch a CSRF attack on the end
user?

It's kinda easy to do with $_SERVER['REMOTE_ADDR'], and if I were to exploit a
CSRF issue, I'd go for that. You can even automate it quite easily.

If, OTOH, your forum verifies the image each time, there is still the danger
that the forum sees something different than the user gets. The only 100% way
would be to completely download the image in question to the forum server, check
if it really is an image, and then stream back _exactly_ that image to the
client, rewriting remote image URIs to local ones. But there's a whole bag of
new problems with that approach.

At least IMHO, there's no real mitigation for CSRF attack vectors in the
catalyzing script (i.e., the forum or something), but all vulnerabilities need
to be fixed in the victim script, by having people log out via POST, not GET,
have security questions in front of security relevant actions like password
change, etc.

Or, you could just disallow remote images altogether. It kinda boils down to a
security vs. feature set question...

--ck