Page 1 of 1
Image src XSS problem?
Posted: Sun Sep 07, 2008 9:46 am
by Verminox
If I have on my page something like:
Code: Select all
<img src="<?php echo $img; ?>" alt="" />
Where $img is user-defined (probably a $_GET value with the quotes stripped) Would this in any way compromise security?
The only way I see this being a problem is if a malicious user makes an unsuspecting victim click a link with some malicious content in the URL query to try to compromise him, but I don't use cookies on this site at all so there is no issue of stealing sessions.
Re: Image src XSS problem?
Posted: Sun Sep 07, 2008 9:58 am
by arjan.top
something like that:
"/><script>alert('XSS');</script><img src="
Re: Image src XSS problem?
Posted: Sun Sep 07, 2008 10:21 am
by Verminox
arjan.top wrote:something like that:
"/><script>alert('XSS');</script><img src="
Verminox wrote:Where $img is user-defined (probably a $_GET value with the quotes stripped) Would this in any way compromise security?
Edit: Besides, even if somehow JS could be executed I'm not using any cookies/sessions at all... So how would there be a problem?
Re: Image src XSS problem?
Posted: Sun Sep 07, 2008 11:14 am
by Cut
Even if you strip single quotes, IE 6 is still vulnerable to <img src="javascript:alert(String.fromCharCode(88,83,83)" /> and others (from
http://ha.ckers.org/xss.html)
Worse, the things <img> embeds need not be images. A user could embed
http://www.yoursite.com/logout.php and log everyone out, or do much worse things. Even if you check for a valid image extension, the attacker could use
http://www.yoursite.com/logout.php?.jpg or an image on their server which uses htaccess to redirect requests. Were you to program some way to check MIME types and status codes for the image, the attacker could just serve one thing to your server and the attack to everyone else.
Check for a valid image extension and hope you don't make anyone competent angry.
Re: Image src XSS problem?
Posted: Mon Sep 08, 2008 1:23 pm
by Verminox
If the attacker wants to implement his redirect anyway why would he use my site in the first place? He will just manuver the victim to click on his own link.
Note that I am not allowing a user to define what image is seen by
everyone, it's not like a forum post or something. It's as simple as
http://www.example.com/gallery.php?img=spongebob results in 'spongebob.jpg' being displayed. It's just a personal GET query. Nothing server wide. According to me the only way to exploit this is to make a victim click a link that has something evil in the GET url, because the attacker can do nothing by hacking his own front-end.
Edit:
cut you made a good point. I shall check for image extensions. Thanks.
Re: Image src XSS problem?
Posted: Mon Sep 08, 2008 1:31 pm
by onion2k
How would your visitors feel if I sent them to your site with that image set as some porn? What would that do to your site's reputation?
Re: Image src XSS problem?
Posted: Tue Sep 09, 2008 9:35 am
by Verminox
Good point. I think I'll just make a database of ID to URL mapping and implement something like gallery.php?id=4 so that I know for sure what the outcome will be.
Thanks for the help
