|
11-13-2006, 06:27 PM
|
#1 (permalink) |
|
Wehret Den Anfängen!
Location: Ontario, Canada
|
Disable inline images and image hosting
Reason:
http://metatalk.metafilter.com/mefi/12920 http://www.metafilter.com/mefi/55720 Example (I made the IMG tag not work -- remove the spaces, and something neat happens): [ img ]http://tinyurl.com/fwzbm[ /img ] well, that probably wouldn't work. But the IMG tag above would cause your browser to do a HTTP GET request on the link: http://tinyurl.com/fwzbm which is http://collect.myspace.com/index.cfm?fuseaction=signout which signs you out of myspace. As that isn't a valid image, you don't see anything visible. Any website that uses unvalidated GETs to change state (yes, that is against the RFCs, but people do it).... ... And, as an aside, if TFP hosts user-generated images, someone can use flash and a cutely-written GIF (or other) file to have a browser run arbitrary POST and GET operations, using the user's state, on TFP. In effect you fool the browser into thinking a GIF file is a crossdomain.xml instruction that states "TFP accepts cross domain flash POSTs and GETs from any website", then get flash to do arbitrary gets/posts on TFP. Worse, the flash can munge the headers all it wants, so you can't check by referrer. To prevent this attack, you have to not host images that hostile people can upload. Or you could check and try to make sure the images don't contain crossdomain.xml instructions... You can reduce this attack by making sure that user-submitted hosted images are hosted in a unique and deep subdirectory, or on a different domain. Then the attack applies to the subdirectory or the different domain only. Just thought you would like to know! Note that the first problem (images can cause GET requests) is mainly a problem for other websites -- it appears that TFP adds randomized tokens to the end of state-changing GET requests (and, more importantly, checks to see if they are there -- myspace has such a token, but it seems to ignore it...). So linking of images is less important -- however, it does mean that I could, say, have any metafilter reader mark a post of mine on metafilter as their favorate without them realizing it. The "crossdomain.xml" image attack is new, and more dangerous. In effect, with a hostile hosted image, a flash application on another website can do arbitrary user actions (or moderator actions, if a moderator looks at the flash app) on TFP.
__________________
Last edited by JHVH : 10-29-4004 BC at 09:00 PM. Reason: Time for a rest. Last edited by Yakk; 11-14-2006 at 08:21 AM.. Reason: Automerged Doublepost |
|
|
06-13-2007, 12:57 AM
|
#2 (permalink) |
|
Upright
|
I know you won’t believe me but this is true……I was not aware of image hosting. Yesterday my little nephew was doing his homework; I offered him help and he asked me to give the extensions for images. As I only know about jpeg so I told him so but my nephew told me that the questions demands 2 answers hence I took his textbook to search for the answer. When I was reading his book, I came to know that there are image hosting sites like http://www.uploadit.org or http://2and2.net that act as a store for your pictures. Isn’t it pretty cool?
|
|
|
|
06-14-2007, 02:12 PM
|
#3 (permalink) |
|
The Reforms
Location: Rarely, if ever, here or there, but always in transition
|
Has a mod taken a look at Yakk's detailed explanation of something tthat, I think, would be harmful to the site
 just a heads-up... oh, and buggy, welcome to the age of discovery, my friend. 
__________________
As human beings, our greatness lies not so much in being able to remake the world (that is the myth of the Atomic Age) as in being able to remake ourselves. —Mohandas K. Gandhi |
|
|
|
09-10-2007, 06:17 PM
|
#4 (permalink) | |
|
The sky calls to us ...
Super Moderator
Location: CT
|
Quote:
It's fairly simple to block third-party GET and POST requests, I'll mention it and see if the admins want to make changes. Last edited by MSD; 09-10-2007 at 06:19 PM.. |
|
|
|
| Tags |
| disable, hosting, image, images, inline |
|
|
