Bugtraq mailing list archives
Re: The Dangers of Allowing Users to Post Images
From: Ryan Kennedy <rkennedy () excitehome net>
Date: Fri, 15 Jun 2001 11:43:22 -0700
The interesting part of this bug is the fact that its exploitable on some very large sites, and is open to a large number of users. Bulletin boards in particular allow inline image posting, and this is what creates the problem...inline images in a system with cookie based authentication.
One system that has been entirely ignored in the conversation thus far is webmail services. Many webmail clients inline HTML parts leaving themselves susceptible to attack. More importantly, systems that provide single sign on to several services through cookie based systems (i.e. a portal) make themselves even more vulnerable. Imagine a portal with webmail. A user receives an inlined image which has it's source URL pointing to some service on that portal's network. That request is now authorized as far as the portal's concerned. Even if the mail application is secure from attack, there's no guarantee that all other services on the portal network are secure.
This technique has more issues than just false authentication, though, and could possibly be used towards distributed DoS type attacks. Some forums have 50k+ users, and each user who viewed a certain thread could be accessing some resource intensive script on a remote server. If posted on several highly trafficed forums, the victimized server would go down in no time.
The DoS attack is actually much worse than it sounds. Imagine posting an HTML message with an image tag to a newsgroup, instead of a web forum, with heavy traffic (some porn images group). If the image tag had it's source pointing to a common URL, it could quickly bring that site down due to the volume of people downloading the message from the newsgroup and referencing the image tag contained within. Ryan Kennedy
Current thread:
- Re: The Dangers of Allowing Users to Post Images, (continued)
- Re: The Dangers of Allowing Users to Post Images Brett Lymn (Jun 18)
- RE: The Dangers of Allowing Users to Post Images Richard M. Smith (Jun 15)
- Re: The Dangers of Allowing Users to Post Images Marc Slemko (Jun 16)
- Re[2]: The Dangers of Allowing Users to Post Images Alexander K. Yezhov (Jun 16)
- Re: The Dangers of Allowing Users to Post Images Ben Gollmer (Jun 15)
- Cross-Site Request Forgeries (Re: The Dangers of Allowing Users to Post Images) Peter W (Jun 15)
- Re: The Dangers of Allowing Users to Post Images David Dreezer (Jun 15)
- Re: The Dangers of Allowing Users to Post Images Chris Lambert (Jun 15)
- Re: The Dangers of Allowing Users to Post Images Ryan Kennedy (Jun 16)
- Re: The Dangers of Allowing Users to Post Images Chris Lambert (Jun 15)
- Re: The Dangers of Allowing Users to Post Images Chris Lambert (Jun 15)
- Re: The Dangers of Allowing Users to Post Images Peter W (Jun 16)
- Message not available
- Message not available
- Re: The Dangers of Allowing Users to Post Images Jason Brooke (Jun 18)
- Re: The Dangers of Allowing Users to Post Images Peter W (Jun 16)