I'm currently developing a game using PHP and MySql. I'd like to allow users to be able to show images using a BBCode parser (NBBC) but i've b开发者_Go百科een made aware of a potential security problem.
Allow me to explain:
The user enters a URL into a textarea box using code such as [img]http://example.com/image1.png[/img]
The user can then edit image1.png on the external server into a server side script that stores the user information (ip ect) and so forth.
User uses information to do some potentially nasty stuff!
My question is, how do we prevent this from happening and protect the users details when detailing with external sources?
The obvious answer is to only allow uploads to your site, but in this case, that really doesn't seem too practical.
Appreciate any help!
Actually you can by changing
[img]http://example.com/image1.png[/img]
into something like:
<img src="http://yourserver/proxy.blah?url=example.com/image1.png" />
So that your proxy would load the image instead of the user.
You can't because to your script it will look like a genuine image and there is no way of detecting anything different.
Any body can use .htaccess/ForceType to change the execution type of any file, grab user information and serve up an image in response.
I wrote a simple script for rotating images in a users forum signature many moons ago and it demonstrates this process: http://blog.simonholywell.com/post/374221718/flickering-images
You don't.
The only information the malicious user will be able to get is user's IP address and referrer URI, so you only need to make sure that nothing valuable is transmitted by it, (like session id, which you can bind to IP address or transfer via cookies).
It wouldn't even be necessary to turn that image into a script. The remote server's access log would capture the image request as it would any other request to a server. IP, browser UA, referer, etc...
If you allow external resources in user-provided data, you have no control whatsoever over how those resources are processed. If this image was for an Avatar (say), then nothing says the remote user can't make their avatar a puppy initially, then change it something nasty later on after the initial puppy picture's been approved.
Nothing says that the user couldn't point the avatar URL to a server they don't own themselves, in which case that other server's operator would get annoyed at the bandwidth theft and make the avatar picture into a Goatse-type image to get back at the bandwidth thief.
In short, if you allow external resources, you lose control. Keep everything in house where you can keep tabs on it.
Despite the responses saying this isn't a problem, it is. There are several ways to create a malicious image file that executes on the user's PC. You also have no control over whether the user's browser will honor the MIME type returned by the 3rd party server so it could return an executable file instead of an image, even though you may only allow links to files with image extensions (.png, .gif, .jpg, etc.). That interaction is entirely between your user and the 3rd party server but because it's embedded in your page the user experience will be that any infection originated from your site.
But even assuming the remote server only sends an image, you don't know if the image is even safe. See:
gifar image vulnerability
Infected .png files
Malicious code hides in jpgs
Uploading the images to your site is no walk in the park either, as discussed here.
User uses information to do some potentially nasty stuff!
You're being overly paranoid here. If a user is vulnerable just by having their IP known, their machine is already infested with a hundred different pieces of malware.
精彩评论