Home page logo

bugtraq logo Bugtraq mailing list archives

Re: The Dangers of Allowing Users to Post Images
From: "Chris Lambert" <clambert () gamespy com>
Date: Thu, 14 Jun 2001 21:12:05 -0400

Most message boards filter out JavaScript by default. About referer
checking, there are many clients which either do not send, or give the user
the option to not send, HTTP_REFERERs. Therefore, it wouldn't be a good move
to rely solely on checking the referer. However, would it be safe to check
that if a referer is present, it contains the sites' domain name, but if it
isn't, it most likely wouldn't have been referenced in an <img> tag or
submitted via JavaScript?
WhiteCrown Networks - Web Application Security
www.whitecrown.net - services () whitecrown net
/ Chris Lambert - cjlambert () home com
|-> ICQ #: 16435685 - AIM: ClipperChris
`-> Cell: (401) 743-2786 - http://sms.clambert.org/
----- Original Message -----
From: Shafik Yaghmour <shafik () acm poly edu>

| Yeah this is kind'a old if you have been developing sites for a
| while, you also need to consider that someone can also do this off the
| site as well. So if they have the ability to link to a site from your
| site they can get people to go to that site and then do the post from that
| site and this defeats this protection. Therefore, although, everyone
| HTTP_REFERER checking, in this case it will protect the innocent user.

| You also need to filter out javascript if you allow the user to
| craft their own image tags, this is a much worse problem becasue they can
| then claim the users cookie, encryption won't help you here. Of course
| they could also do other bad things with javascript.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]