FUDforum: Bug Reports » [img]

Home » FUDforum Development » Bug Reports » [img] - PHP injection??!!

Show: Today's Messages :: Polls :: Message Navigator

[img] - PHP injection??!! [message #22331]

Fri, 28 January 2005 15:17

ggray

Messages: 96
Registered: October 2004
Location: Crimea: Simferopol

Karma: 0

Member

IMHO we need additional filter for use in [img] tags.
because now we can do PHP injection:

Report message to a moderator

Re: [img] - PHP injection??!! [message #22332 is a reply to message #22331]

Fri, 28 January 2005 16:13

JamesS

Messages: 275
Registered: July 2002
Location: Atlanta, GA

Karma: 0

Senior Member

Whew! By your topic I thought that you could insert PHP code in the img tag and it would execute on the server hosting the forum. What you have done is harmless as far as I can tell because the remote server's PHP can't access anything on the forum server.

Plus, there are many places out there that send images to the browser via PHP for various reasons.

[Updated on: Fri, 28 January 2005 16:14]

Report message to a moderator

Re: [img] - PHP injection??!! [message #22333 is a reply to message #22332]

Fri, 28 January 2005 16:29

ggray

Messages: 96
Registered: October 2004
Location: Crimea: Simferopol

Karma: 0

Member

I am agree, it's not serious, but using this issue we can do such things like tracking user activity and so on.

yes we can use mod_rewrite to hide file extension, but this to difficult for "hackers beginners", especially the not have all-controled web-servers.

sorry for my English.

[Updated on: Fri, 28 January 2005 16:31]

Report message to a moderator

Re: [img] - PHP injection??!! [message #22336 is a reply to message #22333]

Fri, 28 January 2005 16:42

Ilia

Messages: 13241
Registered: January 2002

Karma: 0

Senior Member
Administrator
Core Developer

You can disallow [img] tag if you are concerned about this issue. No amount of validation is going to secure remote images, since you can make the remote server do whatever it wants with the request. And allowing local image links only is pretty pointless functionality.

FUDforum Core Developer

Report message to a moderator

Re: [img] - PHP injection??!! [message #22339 is a reply to message #22336]

Fri, 28 January 2005 17:19

ggray

Messages: 96
Registered: October 2004
Location: Crimea: Simferopol

Karma: 0

Member

yes, but I'm think additional filter for image extensions is more suitable.

Report message to a moderator

Re: [img] - PHP injection??!! [message #22341 is a reply to message #22339]

Fri, 28 January 2005 17:23

Ilia

Messages: 13241
Registered: January 2002

Karma: 0

Senior Member
Administrator
Core Developer

Checking image extensions is pointless, because there are MANY simple ways to bypass it:

1) Make server think of all .jpg,.gif requests as scripting files passed to PHP.

2) Redirect requests for .jpg to scripting language.

3) Even if during message posting the URL was validated as valid image, there is nothing to stop the user from going to their server and changing the content of the image after it has been validated.

As long as [img] tag is enabled it is ultimately up to the remote server what sort of image data is returned.

FUDforum Core Developer

Report message to a moderator