security risks from <img src=?

[lomn75]

For a project I'm working on, I've got an option akin to forum avatars. I'd like to be able to support uploading images as well as linking remote images.

Anyway, I can do security checking on file types being uploaded without an issue, but I don't know that I can do much screening beyond file extension and "http://" for the remote option. Does anyone know of a potential exploit with <img src="http://arbitrary text here.ext" /> that I need to watch for?

 

[tim_m]

if this is in php, you can use getimagesize() to determine if the uploaded file is actually a picture (you would likely want to suppress errors with @getimagesize()) to go a step beyond just the extension.

[just reread your post and you said that you could already check file types for uploads so nevermind that part]

as far as remote files, i'm sure there's some way to exploit it but i think someone would have to try very hard. just be sure to only allow image extensions, .gif, .png, .jp(e)g [again rereading and i guess you're doing that]. it's easy enough to make apache run a file with .jpg extension as a php script say, such as here

in .htaccess in that folder

AddType application/x-httpd-php .jpg

in that case, all it does is randomly choose between good and bad stitch, nothing more. i have no idea how someone could really do anything bad with that though. there are a whole freakin lot of forums on the internet and they all seem to be here still. i think you're worrying a bit too much. afaik, if the called url doesn't return a picture, i.e. tries to run a script instead, all that will happen is a red x

 

[lomn75]

OK. I didn't figure there'd be much concern, but neither am I familiar with how forums go about dealing with avatars. Thanks for the input.

 

[Mr_Superstar]

In place of getimagesize(), you can use this function: http://us4.php.net/manual/en/function.exif-imagetype.php

The site says that the above function is faster.


Mr_Superstar

 

[fat-tony]

There is one potential security issue, but it depends more on the computing experience of your users. If I were to password-protect an image (using http basic auth), then an Authentication box would show up whenever someone viewed a page with my avatar on it. If I were to make the realm believable "Name of your forum", then inexperienced users would probably put their username and password into it.

 

[lomn75]

There is one potential security issue, but it depends more on the computing experience of your users. If I were to password-protect an image (using http basic auth), then an Authentication box would show up whenever someone viewed a page with my avatar on it. If I were to make the realm believable "Name of your forum", then inexperienced users would probably put their username and password into it.

Wouldn't that flunk the exif_imagetype() / getimagesize() test, though? Looks like a preventive measure like that would take care of it. Although they could still do HTTP Auth after the fact, don't know of any fix there except periodically rechecking the files.
I guess that brings up another possible flaw... speaking of after the fact, malware.ext could always be renamed avatar.jpg once the benign version is accepted....

Anyhoo, I'll probably just stick with form-string auth. The exif function looked particularly handy, but I'm writing for distribution and don't really want to continue jacking up the required PHP version.

 

[fat-tony]

It would be pretty trivial to get around. For example, if I were targetting your forum, I could have my script check where the request is coming from. If it comes from your IP, then don't ask for auth, otherwise ask. You could even go as far as only asking 10% of the time, to make the tracing harder.