Re: The Dangers of Allowing Users to Post Images

[Ryan Kennedy <rkennedy () excitehome net>]

> The interesting part of this bug is the fact that its exploitable on some
> very large sites, and is open to a large number of users. Bulletin boards in
> particular allow inline image posting, and this is what creates the
> problem...inline images in a system with cookie based authentication.

One system that has been entirely ignored in the conversation thus far
is webmail services. Many webmail clients inline HTML parts leaving
themselves susceptible to attack. More importantly, systems that provide
single sign on to several services through cookie based systems (i.e. a
portal) make themselves even more vulnerable. Imagine a portal with
webmail. A user receives an inlined image which has it's source URL
pointing to some service on that portal's network. That request is now
authorized as far as the portal's concerned. Even if the mail
application is secure from attack, there's no guarantee that all other
services on the portal network are secure.

> This technique has more issues than just false authentication, though, and
> could possibly be used towards distributed DoS type attacks. Some forums
> have 50k+ users, and each user who viewed a certain thread could be
> accessing some resource intensive script on a remote server. If posted on
> several highly trafficed forums, the victimized server would go down in no
> time.

The DoS attack is actually much worse than it sounds. Imagine posting an
HTML message with an image tag to a newsgroup, instead of a web forum,
with heavy traffic (some porn images group). If the image tag had it's
source pointing to a common URL, it could quickly bring that site down
due to the volume of people downloading the message from the newsgroup
and referencing the image tag contained within.

Ryan Kennedy