Well, there are some people who make malicious scripts and use them as [IMG] tag, so they execute once the viewer visit that page.
Meanwhile , I found this image online what information they get once they view the page:
http://i909.photobucket.com/albums/ac291...74e21c.jpg
Sometimes, they even ask the user to enter user/pass form, which is being sent to them.
Is there any way to prevent this?
Thank you.
Wait what? a script running from viewing an image where the script IS the image???
I thought that was sci-fi stuff they used in TV shows...
I could understand XSS... but this? that's a new one on me.
how does it work?
from there one can figure out how to stop it.
although honestly something doesn't seem realistic about this. scripts can do some terrible things.. but an image??
script tags are disabled by default, even if you allow HTML in posts. they are allowed to be added to a post, but upon parsing it for display the < and > are replaced with < and > thus disabling the tag.
thanks pavemen, then what is OP referring to?
I have no idea, perpetuating a rumor I suspect.
Not so. If a user places a link to a malicious file within image tags:
[img]http://myhost.com/somesuspiciousfile.png[/ img]
They can cause all sorts of mischief such as showing dialogues requesting a password etc. That's why we always advise to double check the hostname when entering a password or any type of user details at all on the internet.
This whole idea has been brought up before and there's really not a great deal we can do about it.
Sorry, I might have not explained well, as English isn't my native language, so I don't know it really well.
I mean, they link to .php or other files instead of image in [IMG] tags, so it loads as the page does and asks user to either login, which information is sent to him, or shows as an empty image, but does stuff behind it, such as getting IP address and so on.
Example .php page would be:
$ip = $_SERVER['REMOTE_ADDR'];
Log($ip);
ah yes, on the remote server side, i thought the OP was talking about direct script tags.
the offending remote site can configure its server to output scripts instead of images.
i think it could be possibly overcome by changing the image tags to write an iframe so any script only operates in that frame. another alternative may be an output buffering session that specifies header('accept: image/jpg'); function and then dumps the image to the buffer and then that gets dumped to the browser
however the latter is not as efficient as a direct call to the
(2013-03-17, 03:03 PM)Master Mind Wrote: [ -> ]Sorry, I might have not explained well, as English isn't my native language, so I don't know it really well.
I mean, they link to .php or other files instead of image in [IMG] tags, so it loads as the page does and asks user to either login, which information is sent to him, or shows as an empty image, but does stuff behind it, such as getting IP address and so on.
Example .php page would be:
$ip = $_SERVER['REMOTE_ADDR'];
Log($ip);
they get your IP anyway from the server logs. you are requesting a file from their server, be it an actual image or a script, they have your IP in the access_log just as your site has their IP logged not just in the forum post, but on any connection to your server.
(2013-03-17, 03:11 PM)pavemen Wrote: [ -> ] (2013-03-17, 03:03 PM)Master Mind Wrote: [ -> ]Sorry, I might have not explained well, as English isn't my native language, so I don't know it really well.
I mean, they link to .php or other files instead of image in [IMG] tags, so it loads as the page does and asks user to either login, which information is sent to him, or shows as an empty image, but does stuff behind it, such as getting IP address and so on.
Example .php page would be:
$ip = $_SERVER['REMOTE_ADDR'];
Log($ip);
they get your IP anyway from the server logs. you are requesting a file from their server, be it an actual image or a script, they have your IP in the access_log just as your site has their IP logged not just in the forum post, but on any connection to your server.
Yes, but for example, if I'm a owner of a forum and someone else is doing this, he can obtain my IP address which isn't very good.
The accept image/jpg is good idea, but what if the image is gif/png etc?
what IP are you worried about? The server's IP is public and your IP is different than the server's and you are giving every site you visit that IP. Plus, unless you are the only person viewing that page ever they don't know it was you that viewed the the image/script from their server as its just an IP and a timestamp.