[21046] in bugtraq
Re: The Dangers of Allowing Users to Post Images (fwd)
daemon@ATHENA.MIT.EDU (Shafik Yaghmour)
Fri Jun 15 15:51:37 2001
Date: Fri, 15 Jun 2001 10:29:42 -0400 (EDT)
From: Shafik Yaghmour <shafik@acm.poly.edu>
To: bugtraq@securityfocus.com
Message-ID: <Pine.BSF.3.96.1010615102528.16337J-100000@acm.poly.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Yeah this is kind'a old if you have been developing sites for a
while, you also need to consider that someone can also do this off the
site as well. So if they have the ability to link to a site from your
site they can get people to go to that site and then do the post from that
site and this defeats this protection. Therefore, although, everyone disparages
HTTP_REFERER checking, in this case it will protect the innocent user.
For critical areas you could also force the user to enter their
password or something similar which will also prevent this attack from
working.
You also need to filter out javascript if you allow the user to
craft their own image tags, this is a much worse problem becasue they can
then claim the users cookie, encryption won't help you here. Of course
they could also do other bad things with javascript. ( It has been pointed
out to me that most tools out there already filter, I am just trying to be
complete, there may be some following the discussion that this is not
clear to )
As well if you do encypt cookies and you use lets say Mcrypt_CFB
be careful, if data items fall within a block they can twiddle bits and
corrupt data, in that block while leaving other blocks intact so I would
advise attaching a HASH of all the data in the cookie at the end, so if
you use a good HASH like MD5 it should be impossible for them to corrupt
cookie without you knowing, if you check.
I had at one point thought it would be useful to use IPs to verify
users identity but AOL proxies do not maintain IP Addresses so a users IP
can change rapidly as well they vary over the whole 2 last octets of the
IP so you can't even validate that they come from the same C class
network. AOL is far from the only one that does this, I have even seen a
users IP vary over different A class networks, IIRC they where from
Sympatico.
Take care
Wed, 13 Jun 2001, John Percival wrote:
> How can it be fixed? Well, there are a couple of ways to stop it, but the
> easiest (in PHP at least) seems to be to have most of the variables used by
> scripts be used through $HTTP_POST_VARS. So instead of checking for $action
> in a script, $HTTP_POST_VARS['action'] would be checked. This forces the
> user to use a POST request, not a GET. Alternatively, the sessionid could be
> required to come with the GET/POST request variables, rather than by cookie.
> Finally, in the specific case of [img] tags, the use of ? or & in the img
> URL can be disabled by some regexes.
==========================================================================
--"the more you know and understand the more you must know and understand
.. knowledge is an unsatiable hunger .. which makes life easier and at
the same time harder .... knowledge is a paradox w/ no resolution just
a boundless function of human nature .... knowledge is a trap which we
embrace and which we run away from .... and in the end the only escape
is death .... or maybe not "<grin>--
==========================================================================
-This message transmitted on 100% recycled electrons-
-Save the whales, Feed the hungry, Free the mallocs-
Two cats on a roof,
Which one falls off first?
The one with the smaller mew.
