2014-08-10, 09:22 PM
Pages: 1 2
2014-08-10, 11:12 PM
Imo there are two seperate issues resulting from this
1) privacy issue
there is a call to another server - so basic data is submitted even if only an image is loaded (scripts allow for more data to be fetched, but there is no effective way to prevent users to bypass checks for valid images)
To prevent this there is only one thing you can do - disable the img tag and allow only images uploaded as attachments, disable gravatar and disable url avatars (one might submit this as a feature suggestions for 1.8.1). Disabling the img tag is already possible I think...
2) xss
The postkey used by MyBB should prevent that (assuming it's generated in a way that cannot be emulated without access to the database (I think it is like that, but not absolutly sure atm))
1) privacy issue
there is a call to another server - so basic data is submitted even if only an image is loaded (scripts allow for more data to be fetched, but there is no effective way to prevent users to bypass checks for valid images)
To prevent this there is only one thing you can do - disable the img tag and allow only images uploaded as attachments, disable gravatar and disable url avatars (one might submit this as a feature suggestions for 1.8.1). Disabling the img tag is already possible I think...
2) xss
The postkey used by MyBB should prevent that (assuming it's generated in a way that cannot be emulated without access to the database (I think it is like that, but not absolutly sure atm))
2014-08-11, 01:15 PM
(2014-08-10, 09:22 PM)TheGarfield Wrote: [ -> ]Even Google Images will crawl and index an image regardless of it's extension. Say Google Images has a pretty big security issue?
Google Image's IP isn't important, nor is the system vulnerable to phishing because a) it has no data to give and b) because it's not told to be filling in htaccess forms
I'd like some kind of whitelist for urls permitted in the url tag, quite nice. Some users will fill out a username password box regardless.
2014-08-11, 01:56 PM
A htacess auth form is possible without a script beeing executed... protecting the directory the image is in with an http basic auth is enough ...
2014-08-11, 02:07 PM
It is not possible for an embedded image to execute any scripts on the target site. Anything that is possible with a php "image" is possible with a real image as well. So no phishing. IP tracking is possible no matter what is served.
2014-08-11, 04:09 PM
(2014-08-11, 01:56 PM)Nik101010 Wrote: [ -> ]A htacess auth form is possible without a script beeing executed... protecting the directory the image is in with an http basic auth is enough ...
Yeah, I guess that's also something, that can happen to any type of file huh, so perhaps limiting the sites that you can use for uploading images to (avatars, img tags etc)?
(2014-08-11, 02:07 PM)Firestryke31 Wrote: [ -> ]It is not possible for an embedded image to execute any scripts on the target site. Anything that is possible with a php "image" is possible with a real image as well. So no phishing. IP tracking is possible no matter what is served.
That's interesting then. I'd still like the idea of whitelisting sites, but in that case I don't exactly mind since access logs are gonna log IPs regardless of what content is served.
Pages: 1 2