WebApp Sec mailing list archives
Re: BBCode [IMG] [/IMG] Tag Vulnerability
From: Paul Laudanski <zx () castlecops com>
Date: Thu, 8 Sep 2005 13:17:25 -0400 (EDT)
On Tue, 23 Aug 2005, Christopher Kunz wrote:
Tony Stahler wrote:If you wanted to use the script to check it, yet not have to retrieve the image every time you could have your server download the image during the post request (assuming it was a reasonable size..) ... check it, and then have the link be local from that point onward.That's not feasible for a number of reasons, some of which are pretty straightforward:
For purposes of discussion, we have a website: http://example.com I think from the POV of webapp security, it would behoove example.com to disable IMG rendering unless those images reside on example.com. Effectively, this means example.com has to permit its members to upload images as attachments or into a photo gallery. Ergo: no remote avatars, no remote images. All images are local. As such, they are the only ones rendered. -- Paul Laudanski, http://castlecops.com ________ Information from Computer Cops, L.L.C. ________ This message was checked by NOD32 Antivirus System for Linux Mail Server. part000.txt - is OK http://castlecops.com
Current thread:
- Re: BBCode [IMG] [/IMG] Tag Vulnerability Paul Laudanski (Aug 22)
- Re: [Full-disclosure] Re: BBCode [IMG] [/IMG] Tag Vulnerability Christopher Kunz (Aug 22)
- Re: BBCode [IMG] [/IMG] Tag Vulnerability Paul Laudanski (Aug 22)
- <Possible follow-ups>
- Re: BBCode [IMG] [/IMG] Tag Vulnerability Tony Stahler (Aug 23)
- Re: BBCode [IMG] [/IMG] Tag Vulnerability Zak McGregor (Aug 23)
- Re: BBCode [IMG] [/IMG] Tag Vulnerability Christopher Kunz (Aug 23)
- Re: BBCode [IMG] [/IMG] Tag Vulnerability Paul Laudanski (Sep 08)
- Re: BBCode [IMG] [/IMG] Tag Vulnerability Christopher Canova (Aug 27)
- Re: [Full-disclosure] Re: BBCode [IMG] [/IMG] Tag Vulnerability Christopher Kunz (Aug 22)