Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: The Dangers of Allowing Users to Post Images
From: Ryan Kennedy <rkennedy () excitehome net>
Date: Fri, 15 Jun 2001 11:43:22 -0700

The interesting part of this bug is the fact that its exploitable on some
very large sites, and is open to a large number of users. Bulletin boards in
particular allow inline image posting, and this is what creates the
problem...inline images in a system with cookie based authentication.

One system that has been entirely ignored in the conversation thus far
is webmail services. Many webmail clients inline HTML parts leaving
themselves susceptible to attack. More importantly, systems that provide
single sign on to several services through cookie based systems (i.e. a
portal) make themselves even more vulnerable. Imagine a portal with
webmail. A user receives an inlined image which has it's source URL
pointing to some service on that portal's network. That request is now
authorized as far as the portal's concerned. Even if the mail
application is secure from attack, there's no guarantee that all other
services on the portal network are secure.

This technique has more issues than just false authentication, though, and
could possibly be used towards distributed DoS type attacks. Some forums
have 50k+ users, and each user who viewed a certain thread could be
accessing some resource intensive script on a remote server. If posted on
several highly trafficed forums, the victimized server would go down in no
time.

The DoS attack is actually much worse than it sounds. Imagine posting an
HTML message with an image tag to a newsgroup, instead of a web forum,
with heavy traffic (some porn images group). If the image tag had it's
source pointing to a common URL, it could quickly bring that site down
due to the volume of people downloading the message from the newsgroup
and referencing the image tag contained within.

Ryan Kennedy


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]