Slashdot Mirror
Are Hotlinked Images Now a Liability?
ConcernedImage asks: "I work for a company that has a strong online community, with a full set of message boards that currently allow external image hotlinking. With the new WMF exploit out there, all it takes is one user to link to a bad image, and suddenly it's -our- web site inflicting the computers of others (at least, as far as our users are concerned). Is allowing hotlinked images a legal liability now? What steps are other online communities taking to protect themselves and their users against this?"
I believe that's the technical definition of stupid.
"Made up/misattributed quote that makes me look smart. I am on
Hotlinks always were a liability, or at least have been from the moment the goatse domain was registered...
What steps are other online communities taking to protect themselves and their users against this?"
Using Linux? Using a Mac?
I kid. But seriously, the issue is PC security, not server security. If your PC is vulnerable to an exploit simply for viewing an image, the problem is YOURS, not the server that happens to link to an image that happens to use that exploit.
GeekNights!
Late Night Radio for Geeks!
if someone steals your gun and kills someone, are you liable? It's unlikely that you'd be liable, but it's really up to the people doing the decision making. Always make sure you have a good lawyer, just in case.
If you don't want crime to pay, let the government run it.
There is no way to tell.
Check the filename? Ok the malicious webserver will lie about the filename vs the mime type.
Check the file itself? Ok, now the malicious webserver just serves different files for different sources.
There's no automatic way to prevent wmf files from being linked to, which is what the whole point of TFA is.
2. Tweak your forum software to only allow hotlinks to .gif, .jpg and .png.
The exploit worked even if the files had the wrong extension (of gif, jpeg etc).
The forums of Puzzle Pirates switched off all images when it became clear how bad this exploit is. They later turned back on avatars, since they're checked by the server (only accepts JPEGs and GIFs of a certain max size, and then stored server side, as far as I know).
The original announcement said they'd be back when Microsoft release their official patch, but I think PP is giving everybody time to patch first.
I believe posters are recognized by their sig. So I made one.
There's a new WMF exploit out to take the place of the one patched yesterday?
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
Doesn't mean every Windows PC out there will be magically patched within 24 hours... even with automatic updates turned on, it's still not like Windows is checking every 5 minutes for new patches.
Duct tape is like the Force. It has a light side, a dark side, and it holds the universe together.
I am of course a geeky nerdy never washing never getting laid linux user who hasn't had to worry about security alerts at all in 2005 (Check somebody elses post in one of the CERT stories where he shows that there have been no cyber alerts for linux in 2005) the last I think was in 2004 or 2003 relating to opensll or ssh.
MS response was idiotic and shows they totally do not care about their customers. In the best case they should have made it very clear to every windows user that browsing the net was dangerous and put out a simple patch that disabled WMF completly or at least put up a warning before a wmf like file is accessed even if it is a WMF disguising itself as a jpeg.
Oh but this could break existing products? WHO THE FUCK CARES? It is like worrying that cutting off the electricity and gas after an earthquake is going to make your icecream melt. The WMF exploit is a disaster and that means it is time for drastic measures.
Windows users should have been up in arms. Browsing the internet became a no-no even with non-porn sites. Only thing that has to happen is 1 person on forum having a exploit for their avatar image and bang.
I have seen several people being affected by this exploit. Sure some were stupid free porn sites surfers but not all of them. Just normally using their computer and BAM. Infected.
We have been getting a lot of comments from MS fanboys about how much stabler XP is and that MS is getting a lot more serious about security. HA. This WMF thing has shown that MS is still the same MS of old. Nothing has changed. A full week to patch exploit affecting all your users and the all the MS fanboys can do is sputter "They had to test it" yeah right. Oh well at least it seems that this time the patch actually works. That gotta be a first.
Oh well now to answer your question. There is nothing to do here but disable unchecked content on your website. That means you gotta host every image yourselve and make sure you check that it is what it claims to be in your upload code.
The MS patch won't change a fucking thing. An awfull lot of MS users never patch up so this WMF exploit will be with us as long as that code red crap and every other windows exploit. If I am ever diagnosed with an incurable disease and only have a few weeks left, gates is going to get a bullet in the head.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.