RE: The Dangers of Allowing Users to Post Images

[rms () privacyfoundation org (Richard M. Smith)]

This is a *very* interesting finding.  It seems
kind of obvious too.  I wonder why no one seems
to have run across it before.  

This same weakness can be exploited from an
HTML email message also.  The bottom line is that
a privileged operation should always require
an HTTP POST and never allow a GET.  Hmm, I wonder how many
Web sites break this rule?

At least in Outlook 2002, cookies are disabled
in HTML email messages by default.  With other
email readers, cookies are likely turned on 
by default.

Interesting how cookies continue to bite us in the butt!  
In this situation, it is third-party cookies
that are doing the biting.

Of course, with JavaScript enabled in email,
a malicious message can still do a POST.  Yet
another reason to turn off JavaScript in email.

Richard M. Smith
CTO, Privacy Foundation
http://www.privacyfoundation.org

-----Original Message-----
From: John Percival [mailto:john () jelsoft com] 
Sent: Wednesday, June 13, 2001 2:33 PM
To: bugtraq () securityfocus com
Cc: clambert () whitecrown net
Subject: The Dangers of Allowing Users to Post Images


This exploit shows how almost any script that uses cookie session/login
data to validate CGI forms can be exploited if the users can post
images.

One of our developers, Chris 'stallion' Lambert (
clambert () whitecrown net ), discovered this exploit in a routine internal
security audit.

Allowing users to post inline images is potentially a bad thing. Having
the user authentication based solely on cookies is another potentially
bad thing. When you put them together, it gets a whole lot worse. I will
explain this problem with reference to a typical forum system, but
naturally, it can be extended to almost any other CGI script, not just
limited to PHP scripts. We have also tested this with Infopop's Ultimate
Bulletin Board 6.04e, ezboard 6.2 and WWW Threads PHP 5.4, and at the
time of writing, all three were susceptible to attack.