3

I manage a large and active forum and we're being plagued by a very serious problem. We allow users to embed remote images, much like how stackoverflow handles image (imgur) however we don't have a specific set of hosts, images can be embedded from any host with the following code:

[img]http://randomsource.org/image.png[/img]

and this works fine and dandy... except users can embed an image that require authentication, the image causes a pop-up to appear and because authentication pop-ups can be edited they put something like "please enter your [sitename] username and password here" and unfortunately our users have been falling for it.

What is the correct response to this? I have been considering the following:

  1. Each page load has a piece of Javascript execute that checks each image on the page and its status

  2. Have an authorised list of image hosts

  3. Disable remote embedding completely

The problem is I've NEVER seen this happen anywhere else, yet we're plagued with it, how do we prevent this?

Zoe
  • 27,060
  • 21
  • 118
  • 148
sam
  • 5,459
  • 6
  • 32
  • 53

2 Answers2

3

Its more than the password problem. You are also allowing some of your users to carry out CSRF attacks against other users. For example, a user can set up his profile image as [img]http://my-active-forum.com/some-dangerous-operation?with-some-parameters[/img].

The best solution is to -

  1. Download the image server side and store it on the file system/database. Keep a reasonable maximum file size, otherwise the attacker can download tons of GBs of data onto your servers to hog n/w and disk resources.
  2. Optionally, verify the file is actually an image
  3. Serve the image using a throw-away domain or ip address. It is possible to create images that masquerade as a jar or applet; serving all files from a throwaway domain protects you from such malicious activity.

If you cannot download the images on the server side, create a white list of allowed url patterns (not just domains) on the server side. Discard any urls that don't match this URL pattern.

You MUST NOT perform any checks in javascript. Performing checks in JS solves your immediate problems, but does not protect your from CSRF. You are still making a request to an attacker-controlled url from your users browser, and that is risky. Besides, the performance impact of that approach is prohibitive.

Sripathi Krishnan
  • 30,948
  • 4
  • 76
  • 83
1

I think you mostly answered your own question. Personally I would have gone for a mix between option 1 and option 2: i.e. create a client-side Javascript which first checks image embed URLs against a set of white-listed hosts. For each embedded URL which is not in that list, do something along these lines, while checking that the server does not return the 401 status code.

This way there is a balance between latency (we attempt to minimize duplicate requests via the HEAD method and domain whitelists) and security. Having said that, option 2 is the safest one, if your users can accept it.

Community
  • 1
  • 1
RomanK
  • 1,258
  • 7
  • 18