Re: The Dangers of Allowing Users to Post Images

From: John Percival (johnat_private)
Date: Tue Jun 19 2001 - 14:14:44 PDT

Next message: Paul Starzetz: "Symlinks symlinks...this time KTVision"

Previous message: Mark Tinberg: "Re: [Fwd: Re: Cross-Site Request Forgeries (Re: The Dangers ofAllowing Users to Post Images)]"
In reply to: peterwat_private: "Re: The Dangers of Allowing Users to Post Images"
Next in thread: Michal Szokolo: "Re: The Dangers of Allowing Users to Post Images"
Next in thread: Sverre H. Huseby: "Re: The Dangers of Allowing Users to Post Images"
Reply: Michal Szokolo: "Re: The Dangers of Allowing Users to Post Images"
Reply: Jeffrey W. Baker: "Re: The Dangers of Allowing Users to Post Images"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I'm going to try and throw another issue into this discussion now too:
denial of service. We have discussed it for attacking remote servers, but
not for the client viewing the image. It's something else that I spotted
while I was playing around with this issue just now.

If you have images that include a mailto:meat_private source,
then the default handler for mailto: links is opened up. Be that Outlook,
Netscape Composer, Eudora, or whatever else you care to use.

So if someone embedded 100 (arbitrary figure) mailto: images in a page, then
this would do a lot of harm to the user's computer. At best, it would get
very busy for a few minutes creating new emails, and would be a pain to
clear up. At worst, it could bring the whole system crashing down.

So there's something else that needs to be checked in webmail clients in
incoming mail, or user submitted content on forums, guestbooks, etc.
Blocking mailto: in image tags seems like the best solution for us at
vBulletin, so that is probably what we will do. In most general cases, only
allowing mailto: in <a href=... tags seems like the best solution, or at
least not allowing it in images, iframes, embed, object, javascript, etc,
etc. I have a feeling that accessing news: or nntp:// might have a similar
undesirable effect, but I have not tested this.

Finally, another problem that we had to address a while ago in vBulletin was
the use of the about: 'handler' in Internet Explorer. Try viewing this URL
from your faviourite version of IE (tested on 6.0 beta)

about:<head><title>Hi</title></head><body><p>Hello</p></body>

This allows anyone to insert their very own HTML, unchecked for nasties,
javascript, or anything else, directly into the client's browser. Note that
it may need to be 'url encoded' according to RFC1738. This will work for an
<a tag, and I guess that if would probably work for an iframe. In vBulletin,
we test against that by adding a space between about and the colon, which
effectively disables any problems.

A few that I did test within images in Internet Explorer 6.0, but did not
come out with anything useful, are:
http://wwp.icq.com/scripts/search.dll?to=42892594
aim:goim?screenname=jhpercival&message=Hi.+Are+you+there?
telnet://loggerat_private

Anyway, a few more things to discuss and chew over there!

Regards,
John Percival
Product Manager, vBulletin

http://www.vbulletin.com/
mailto:johnat_private

"vBulletin: Community Instantly"

Next message: Paul Starzetz: "Symlinks symlinks...this time KTVision"
Previous message: Mark Tinberg: "Re: [Fwd: Re: Cross-Site Request Forgeries (Re: The Dangers ofAllowing Users to Post Images)]"
In reply to: peterwat_private: "Re: The Dangers of Allowing Users to Post Images"
Next in thread: Michal Szokolo: "Re: The Dangers of Allowing Users to Post Images"
Next in thread: Sverre H. Huseby: "Re: The Dangers of Allowing Users to Post Images"
Reply: Michal Szokolo: "Re: The Dangers of Allowing Users to Post Images"
Reply: Jeffrey W. Baker: "Re: The Dangers of Allowing Users to Post Images"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jun 22 2001 - 14:16:36 PDT