Slashdot Mirror

← Back to Stories (view on slashdot.org)

Are Hotlinked Images Now a Liability?

Posted by Cliff on from the watch-out-for-evil-avatars dept.

ConcernedImage asks: "I work for a company that has a strong online community, with a full set of message boards that currently allow external image hotlinking. With the new WMF exploit out there, all it takes is one user to link to a bad image, and suddenly it's -our- web site inflicting the computers of others (at least, as far as our users are concerned). Is allowing hotlinked images a legal liability now? What steps are other online communities taking to protect themselves and their users against this?"

3 of 57 comments (clear)

  1. Re:Captain Obvious Raises His Hand by Inominate · · Score: 2, Informative

    There is no way to tell.

    Check the filename? Ok the malicious webserver will lie about the filename vs the mime type.
    Check the file itself? Ok, now the malicious webserver just serves different files for different sources.

    There's no automatic way to prevent wmf files from being linked to, which is what the whole point of TFA is.

  2. Re:I see three options: by WTBF · · Score: 2, Informative

    2. Tweak your forum software to only allow hotlinks to .gif, .jpg and .png.

    The exploit worked even if the files had the wrong extension (of gif, jpeg etc).

  3. Re:Captain Obvious Raises His Hand by Anonymous Coward · · Score: 1, Informative

    Isn't it risky having your webserver automatically hit a file that is specified by a user? A user that is clearly untrusted as you are needing validation of all the image.

    Will your site be obeying robots.txt? If so then validation is pointless just add deny line into robots.txt. Some sites don't appreciate being hit by half the webservers in the world at once because someone added there image to a forum. Couldn't this be used as a way of launching DDOS attacks against any webserver that hosts an image?

    You seem to be forgeting that webservers have the abillity to lie when serving up any file. If the automatic load is imediate then simply use a server side script, like PHP server the image and for the first N number of hits log IP and server a valid .jpg file. The websevers IP is not going to change, unless you have multipule servers which only big sites can aford. Whenever a hit comes in for one of the first used IPs server a valid .jpg just incase its a validation check. Using things like apache's rewrite you could have a url like http://www.example.com/bad/image/12345/file.jpg which would pass name validation which could easilly be changed to http://www.example.com/badImage.php?src=12345 and for every differant src restart the process of monitoring the first few hits. That way a user can use the same bad image for any site that allows image submission.

    Remove image-posting privilege or ban from the forum anyone whose image submissions are removed (or fail) on a sufficient number of occasions
    Closing stable door after horse has bolted. Automatic checks can be falsified as shown above. Human checks can take to long. Plus if the attack is subtle enough te infected user won't no where it came from. If its sever enough the user might be unable to inform the site or may be more worried about recovering there PC. By which time enough people will have been hit by the image.

    Although I mentioned a specific way of avoiding that kind of validation there are of course numerous other ossible attacks.

    Make "show user-submitted inline images" an option that visitors to the site have to specifically enable, which involves accepting an agreement.
    I do agree completely with this. However its more of a legal solution then a technical solution. Of course users can block images from there browser or block remote images (just make sure you don't allow users to upload an image. However uploaded images can be validated, block wmf based on begining of file.)

    The real problem is browsers see an image and assume its safe to try and display it. How could it possibly do damage? Oh dear some moron decided it would be OK to allow an image file to include executable code. A browser won't download an executable and run it for you without asking just because someone stuck it on a webpage but it seems its OK to do this with an image.

    Everytime you allow contant to be inserted into your webpage thats not your content then you run this risk. And its not just things like forums or comments. Retreiving RSS fees and adding them to your page is adding externel content, as is using advert scripts like googles. The only safe way would be to avoid any user submited data at all.

    Just released that you could of course require all images to be moderated by a human before being displayed att all, however this would reduce usabillity as the image could be an important part of the post and depending on how many staff you got on your site and your sites size it may take a while to get through all the images. Plus how many people would agree to "look at this image to make sure it don't destroy a user computer", would you be willing to risk your machine? not without one hell of an incentive!!!