--- Chad Day <[EMAIL PROTECTED]> wrote: > I want to give my users the ability to submit a URL > to a database, then when they pull up their page, > their photo is included .. what I'm worried about > is them pointing the link to some malicious code or > something..
Your instincts serve you well. There are two types of attacks to worry about in this situation, depending on who can see this "image". If only the user who submitted the URL can see it, then your users only risk CSRF attacks, which are not very common (yet) but are very dangerous. If everyone can see the "image", then your application is also at risk of XSS. If you realize that an embedded image is requested separately by a Web client, you can see that this basically allows an attacker the opportunity of forcing another user to visit a URL of the attacker's choice. For example, consider an image that looks like this: <img src="http://bookstore.xxx/buy.php?book=httphandbook";> A browser will try to load that image by sending a request for that URL to bookstore.xxx. So, every user who happens to have a prior relationship with bookstore.xxx (maybe they have one-click ordering) will unknowingly purchase HTTP Developer's Handbook. All the victim will see is a broken image. Even if you check for file extensions, the attacker can have a URL that looks legitimate but is really a PHP script in disguise (their Apache treates .jpg as PHP, for example) and uses header("Location: ...") to redirect to the URL mentioned above. Also, this same attack can be used against one of your users to make them unknowingly submit such a URL to your site. Thus, even if you only show the image to the user who submitted it, that user may still be a victim. For more information on CSRF, check out http://www.tux.org/~peterw/csrf.txt. For more information on XSS, check out http://httpd.apache.org/info/css-security/ and http://www.cert.org/advisories/CA-2000-02.html. My advice would be to require human intervention in the way of a moderation system. Even with this, a URL that returns an image today may not tomorrow. A safer alternative might be to host the images yourself, so that you can check that they are in fact images. Good luck. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
