Re: The Dangers of Allowing Users to Post Images

["Sverre H. Huseby" <shh () thathost com>]

[www-mobile-code would probably be a more appropriate list for this]

It seems to me that what you talk about is "Client Side Trojans",
which were discussed in the Zope forum in May last year.

  http://www.zope.org/Members/jim/ZopeSecurity/ClientSideTrojan

This is a far reaching security problem.  The links you talk about may
just as well be sent in mail, or they may be viewed from a different
web site.  Mails and different web sites may include JavaScript that
posts prefilled forms on behalf of the user, so using POST rather than
GET will not fully solve the problem.  As long as the user is already
authenticated to the site in questions.  Some sites offering "always
logged in", and intranets using eg. NTLM authentication are
particularly vulnerable to this kind of attack.

A possible solution (for web developers) seems to be to make sure the
user has been given an offer to do something before letting him do it:
Give each user a unique "ticket", and for each "action" on a web page,
bind this ticket to it.  Examples on URL an form follow:

  http://vote.com/vote.cgi?answer=1&ticket=9871398747

  <input type="hidden" name="ticket" value="9871398747">

When the request comes in, check if the incoming ticket matches the
one stored in this user's session.  If it does, this particular user
was given the offer by our server, and not by anyone else.  To spoof
this system, someone would have to guess or otherwise find out what
ticket value the victim was given by the server.

To make it harder to find the ticket value given to a user, you could
give the user many tickets, one for each possible action.  This
solution would require a "ticket pool" in the user's session.  I've
implemented the latter solution in both PHP and Java.  Let me know if
you would like some code.  (It's not at all hard to implement, of
course.)


Sverre.

-- 
<URL:mailto:shh () thathost com>
<URL:http://shh.thathost.com/>