All geek questions in one place

Appearance vulnerabilities

What security holes can appear on my site, including external images using the img tag, and how to avoid them?

I am currently checking the extension and mime-type image when sending (which can be changed after the URL sent) and the URL deactivated before putting it in the src attribute.

+6
source share
3 answers

There is probably a difference between who is at risk.

If all you do is store URLs and not upload images to your server, your site is probably safe, and there is any potential risk for your users who are browsing your site.

Essentially, you trust the reliability of browser makers. Everything may be fine, but if in some browser a window should appear with protection from one of your users, which is associated with incorrect analysis of images containing malicious code, then these are your users who ultimately pay for it (you can find GIFAR is interesting).

It all depends on whether you trust browser vendors to make secure software and whether you trust your users not to upload URLs to images that may contain exploits for specific browsers. What can be safe now, may not be safe, the next version will appear.

+4
source

The primary holes that can be opened are those where damaged images cause a buffer overflow in the browser, which allows arbitrary code to be executed.

If you put images only in the <img> , then there should be no vulnerabilities related to sending alternative MIME types, but never underestimate the stupidity of some web browser developers ...

+3
source

Well, obviously, you are not doing any data checks, so the data can be anything (the mime type reported by the remote server does not necessarily tell the truth). In addition, as you said, the data on the remote server can be changed, since you never look at it after sending.

Thus, if the link is placed in it allows you to say that <img src = "..." />, then any vulnerability that the browser may have in image processing can be exploited.

"Sanitizing" the url doesn't help anything: someone sending a link pointing to a "bad" image is not going to attack their own server.

+3
source

Source: https://habr.com/ru/post/921045/

More articles:


All Articles