Tilted Forum Project Discussion Community - View Single Post

Yakk · 11-13-2006, 06:27 PM

Reason:
http://metatalk.metafilter.com/mefi/12920
http://www.metafilter.com/mefi/55720

Example (I made the IMG tag not work -- remove the spaces, and something neat happens):
[ img ]http://tinyurl.com/fwzbm[ /img ]

well, that probably wouldn't work. But the IMG tag above would cause your browser to do a HTTP GET request on the link:
http://tinyurl.com/fwzbm
which is
http://collect.myspace.com/index.cfm?fuseaction=signout
which signs you out of myspace. As that isn't a valid image, you don't see anything visible.

Any website that uses unvalidated GETs to change state (yes, that is against the RFCs, but people do it)....

...

And, as an aside, if TFP hosts user-generated images, someone can use flash and a cutely-written GIF (or other) file to have a browser run arbitrary POST and GET operations, using the user's state, on TFP.

In effect you fool the browser into thinking a GIF file is a crossdomain.xml instruction that states "TFP accepts cross domain flash POSTs and GETs from any website", then get flash to do arbitrary gets/posts on TFP.

Worse, the flash can munge the headers all it wants, so you can't check by referrer.

To prevent this attack, you have to not host images that hostile people can upload. Or you could check and try to make sure the images don't contain crossdomain.xml instructions...

You can reduce this attack by making sure that user-submitted hosted images are hosted in a unique and deep subdirectory, or on a different domain. Then the attack applies to the subdirectory or the different domain only.

Just thought you would like to know!

Note that the first problem (images can cause GET requests) is mainly a problem for other websites -- it appears that TFP adds randomized tokens to the end of state-changing GET requests (and, more importantly, checks to see if they are there -- myspace has such a token, but it seems to ignore it...).

So linking of images is less important -- however, it does mean that I could, say, have any metafilter reader mark a post of mine on metafilter as their favorate without them realizing it.

The "crossdomain.xml" image attack is new, and more dangerous. In effect, with a hostile hosted image, a flash application on another website can do arbitrary user actions (or moderator actions, if a moderator looks at the flash app) on TFP.

11-13-2006, 06:27 PM	#1 (permalink)
Yakk Wehret Den Anfängen! Location: Ontario, Canada	Disable inline images and image hosting Reason: http://metatalk.metafilter.com/mefi/12920 http://www.metafilter.com/mefi/55720 Example (I made the IMG tag not work -- remove the spaces, and something neat happens): [ img ]http://tinyurl.com/fwzbm[ /img ] well, that probably wouldn't work. But the IMG tag above would cause your browser to do a HTTP GET request on the link: http://tinyurl.com/fwzbm which is http://collect.myspace.com/index.cfm?fuseaction=signout which signs you out of myspace. As that isn't a valid image, you don't see anything visible. Any website that uses unvalidated GETs to change state (yes, that is against the RFCs, but people do it).... ... And, as an aside, if TFP hosts user-generated images, someone can use flash and a cutely-written GIF (or other) file to have a browser run arbitrary POST and GET operations, using the user's state, on TFP. In effect you fool the browser into thinking a GIF file is a crossdomain.xml instruction that states "TFP accepts cross domain flash POSTs and GETs from any website", then get flash to do arbitrary gets/posts on TFP. Worse, the flash can munge the headers all it wants, so you can't check by referrer. To prevent this attack, you have to not host images that hostile people can upload. Or you could check and try to make sure the images don't contain crossdomain.xml instructions... You can reduce this attack by making sure that user-submitted hosted images are hosted in a unique and deep subdirectory, or on a different domain. Then the attack applies to the subdirectory or the different domain only. Just thought you would like to know! Note that the first problem (images can cause GET requests) is mainly a problem for other websites -- it appears that TFP adds randomized tokens to the end of state-changing GET requests (and, more importantly, checks to see if they are there -- myspace has such a token, but it seems to ignore it...). So linking of images is less important -- however, it does mean that I could, say, have any metafilter reader mark a post of mine on metafilter as their favorate without them realizing it. The "crossdomain.xml" image attack is new, and more dangerous. In effect, with a hostile hosted image, a flash application on another website can do arbitrary user actions (or moderator actions, if a moderator looks at the flash app) on TFP. __________________ Last edited by JHVH : 10-29-4004 BC at 09:00 PM. Reason: Time for a rest. Last edited by Yakk; 11-14-2006 at 08:21 AM.. Reason: Automerged Doublepost