Open Bug 577713 Opened 15 years ago Updated 3 years ago

please add a way to prevent images from being redirected in an image tag

Categories

(Core :: Graphics: Image Blocking, enhancement)

Product:
Core
Component:
Graphics: Image Blocking
Platform:
x86
Linux
Type:
enhancement

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: tuseroni, Unassigned)

Details

User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6 Build Identifier: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6 i am working on securing my site against xss, users are allowed to post images and most of the obvious xss involving images have been taken care of (anything which can evaluate to javascript in the href for instance) but, there is still one for which i cannot find a solution, that being if someone links to an image, which redirects to my site with a command in the get, now obviously not using commands in the GET is one way to fix this (however i didnt make this site and it uses GET....a LOT...) and i think it would be nice if i had an attribute for images (say <img src="whatever.png" followRedirect="no">) then i could just add the followRedirect attribute to the img tag using regex in php and when the browser got this, it would know NOT to follow the redirect when looking up the image, as such it would never come back and it would never execute. and since i know all our admins will likely be using firefox (or i can tell them to) i dont have to worry too much about cross platform compatibility. Reproducible: Always
> that being if someone links to an image, which redirects to my site with a > command in the get They don't need an image to do this at all, right? They can just issue the GET. If you're only worried about your admins, you can pretty easily create an extension that would prevent such redirects....
if they attempted to run it like that it would fail, because THEY do not have permissions. ok, alice is an admin on someSite.com, and she has a forum. melanie is NOT an admin, but she knows the GET statement that would delete a user (bob) so melanie makes an image tag which has that get statement in it. she also makes the image have a width/height of 0. now when bob, who is not an admin, comes along, nothing happens, his browser goes to the page but because of the security restriction on that page, he cant run it. then alice comes along, the browser goes to that page, because alice has permissions to view that page and delete bob, the command goes through...bob is gone. now you can avoid this to a degree by making sure the src is an image and not hosted on your site (except in folders designated for hosting user images, if you have such a thing) but now we have another problem. now lets suppose melanie tried the above and seen it didnt work, ever the clever girl she goes to her personal web server (or a server in which she has access to) and sets up a redirect to direct /a.jpg to go to that same get command. now when she post it, it looks like this <img src="http://melanie-rules.com/a.jpg"> surely nothing suspicious here, it goes through the filters. now the browser goes to look that file up, the file then redirects to someSite.com/userman.php?user=bob&cmd=del and alice comes along and sees this...and bob is no more. from the servers perspective that redirect is exactly the same as if alice herself went to that address from a link. however supposing there were an attribute in the img tag that could tell the browser "dont follow in the case of a redirect" someSite.com's sysadmin could place that attribute on all img tags in html coming from users. that combined with the normal way of preventing them from putting the get in the src would make it much easier to stop this kind of attack.
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.