Bugtraq mailing list archives
Re: The Dangers of Allowing Users to Post Images
From: "Chris Lambert" <clambert () gamespy com>
Date: Thu, 14 Jun 2001 21:12:05 -0400
Most message boards filter out JavaScript by default. About referer checking, there are many clients which either do not send, or give the user the option to not send, HTTP_REFERERs. Therefore, it wouldn't be a good move to rely solely on checking the referer. However, would it be safe to check that if a referer is present, it contains the sites' domain name, but if it isn't, it most likely wouldn't have been referenced in an <img> tag or submitted via JavaScript? -- WhiteCrown Networks - Web Application Security www.whitecrown.net - services () whitecrown net ______________________________ / Chris Lambert - cjlambert () home com |-> ICQ #: 16435685 - AIM: ClipperChris `-> Cell: (401) 743-2786 - http://sms.clambert.org/ ----- Original Message ----- From: Shafik Yaghmour <shafik () acm poly edu> | Yeah this is kind'a old if you have been developing sites for a | while, you also need to consider that someone can also do this off the | site as well. So if they have the ability to link to a site from your | site they can get people to go to that site and then do the post from that | site and this defeats this protection. Therefore, although, everyone disparages | HTTP_REFERER checking, in this case it will protect the innocent user. | You also need to filter out javascript if you allow the user to | craft their own image tags, this is a much worse problem becasue they can | then claim the users cookie, encryption won't help you here. Of course | they could also do other bad things with javascript.
Current thread:
- Re: The Dangers of Allowing Users to Post Images, (continued)
- Re: The Dangers of Allowing Users to Post Images Marc Slemko (Jun 16)
- Re[2]: The Dangers of Allowing Users to Post Images Alexander K. Yezhov (Jun 16)
- Re: The Dangers of Allowing Users to Post Images Ben Gollmer (Jun 15)
- Cross-Site Request Forgeries (Re: The Dangers of Allowing Users to Post Images) Peter W (Jun 15)
- Re: The Dangers of Allowing Users to Post Images David Dreezer (Jun 15)
- Re: The Dangers of Allowing Users to Post Images Chris Lambert (Jun 15)
- Re: The Dangers of Allowing Users to Post Images Ryan Kennedy (Jun 16)
- Re: The Dangers of Allowing Users to Post Images Chris Lambert (Jun 15)
- Re: The Dangers of Allowing Users to Post Images Chris Lambert (Jun 15)
- Re: The Dangers of Allowing Users to Post Images Peter W (Jun 16)
- Message not available
- Message not available
- Re: The Dangers of Allowing Users to Post Images Jason Brooke (Jun 18)
- Re: The Dangers of Allowing Users to Post Images Peter W (Jun 16)