WebApp Sec mailing list archives

Re: BBCode [IMG] [/IMG] Tag Vulnerability

From: Paul Laudanski <zx () castlecops com>
Date: Thu, 8 Sep 2005 13:17:25 -0400 (EDT)

On Tue, 23 Aug 2005, Christopher Kunz wrote:

Tony Stahler wrote:

If you wanted to use the script to check it, yet not have to retrieve
the image every time you could have your server download the image
during the post request (assuming it was a reasonable size..) ... check
it, and then have the link be local from that point onward.


That's not feasible for a number of reasons, some of which are pretty
straightforward:


For purposes of discussion, we have a website:

http://example.com

I think from the POV of webapp security, it would behoove example.com to 
disable IMG rendering unless those images reside on example.com.  
Effectively, this means example.com has to permit its members to upload 
images as attachments or into a photo gallery.

Ergo: no remote avatars, no remote images.  All images are local.  As 
such, they are the only ones rendered.

-- 
Paul Laudanski, http://castlecops.com


________ Information from Computer Cops, L.L.C. ________
This message was checked by NOD32 Antivirus System for Linux Mail Server.

  part000.txt - is OK
http://castlecops.com

Current thread:

Re: BBCode [IMG] [/IMG] Tag Vulnerability Paul Laudanski (Aug 22)
- Re: [Full-disclosure] Re: BBCode [IMG] [/IMG] Tag Vulnerability Christopher Kunz (Aug 22)
  - Re: BBCode [IMG] [/IMG] Tag Vulnerability Paul Laudanski (Aug 22)
- <Possible follow-ups>
- Re: BBCode [IMG] [/IMG] Tag Vulnerability Tony Stahler (Aug 23)
  - Re: BBCode [IMG] [/IMG] Tag Vulnerability Zak McGregor (Aug 23)
  - Re: BBCode [IMG] [/IMG] Tag Vulnerability Christopher Kunz (Aug 23)
    - Re: BBCode [IMG] [/IMG] Tag Vulnerability Paul Laudanski (Sep 08)
  - Re: BBCode [IMG] [/IMG] Tag Vulnerability Christopher Canova (Aug 27)