Slashdot Mirror

← Back to Stories (view on slashdot.org)

Are Hotlinked Images Now a Liability?

Posted by Cliff on from the watch-out-for-evil-avatars dept.

ConcernedImage asks: "I work for a company that has a strong online community, with a full set of message boards that currently allow external image hotlinking. With the new WMF exploit out there, all it takes is one user to link to a bad image, and suddenly it's -our- web site inflicting the computers of others (at least, as far as our users are concerned). Is allowing hotlinked images a legal liability now? What steps are other online communities taking to protect themselves and their users against this?"

2 of 57 comments (clear)

  1. Re:Captain Obvious Raises His Hand by Inominate · · Score: 2, Informative

    There is no way to tell.

    Check the filename? Ok the malicious webserver will lie about the filename vs the mime type.
    Check the file itself? Ok, now the malicious webserver just serves different files for different sources.

    There's no automatic way to prevent wmf files from being linked to, which is what the whole point of TFA is.

  2. Re:I see three options: by WTBF · · Score: 2, Informative

    2. Tweak your forum software to only allow hotlinks to .gif, .jpg and .png.

    The exploit worked even if the files had the wrong extension (of gif, jpeg etc).