My random.php link is being displayed in forums

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
jaysmizzle
Forum Newbie
Posts: 9
Joined: Fri May 01, 2009 2:55 am

My random.php link is being displayed in forums

Post by jaysmizzle »

Sorry, I couldn't come up with a good subject title with so little space.

I'm using the code below to create a random.php file that displays a random image on every page load. I've noticed recently that some people have copied the url link to this random.php file and have pasted it in a couple forums so that every time someone opens the forum topic, they see a random picture like they would if they had visited my website. The link is something like 'http://www.mywebsite.com/images/random.php.jpg'. I'm not sure how I feel about this. Would this cost me bandwith every time someone opens that topic? Is there anyway I could somehow block everyone from doing this? Would you, personally, try to block this or do you think I should leave it alone and think of it as good advertisement?

Code: Select all

<?php
 
 
    $folder = '.';
 
 
    $extList = array();
    $extList['gif'] = 'image/gif';
    $extList['jpg'] = 'image/jpeg';
    $extList['jpeg'] = 'image/jpeg';
    $extList['png'] = 'image/png';
 
 
$img = null;
 
 
if (substr($folder,-1) != '/') {
    $folder = $folder.'/';
}
 
 
if (isset($_GET['img'])) {
    $imageInfo = pathinfo($_GET['img']);
    if (
        isset( $extList[ strtolower( $imageInfo['extension'] ) ] ) &&
        file_exists( $folder.$imageInfo['basename'] )
) {
    $img = $folder.$imageInfo['basename'];
}
} else {
    $fileList = array();
    $handle = opendir($folder);
    while ( false !== ( $file = readdir($handle) ) ) {
        $file_info = pathinfo($file);
        if (
            isset( $extList[ strtolower( $file_info['extension'] ) ] )
) {
            $fileList[] = $file;
        }
    }
    closedir($handle);
 
 
    if (count($fileList) > 0) {
        $imageNumber = time() % count($fileList);
        $img = $folder.$fileList[$imageNumber];
    }
}
if ($img!=null) {
    $imageInfo = pathinfo($img);
    $contentType = 'Content-type: '.$extList[ $imageInfo['extension'] ];
    header ($contentType);
    readfile($img);
} else {
    if ( function_exists('imagecreate') ) {
        header ("Content-type: image/png");
        $im = @imagecreate (100, 100)
            or die ("Cannot initialize new GD image stream");
        $background_color = imagecolorallocate ($im, 255, 255, 255);
        $text_color = imagecolorallocate ($im, 0,0,0);
        imagestring ($im, 2, 5, 5, "IMAGE ERROR", $text_color);
        imagepng ($im);
        imagedestroy($im);
    }
}
?>
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: My random.php link is being displayed in forums

Post by kaisellgren »

This subject is not really a security related, but I think it's ok.

So, if I understood correctly, what you want is a hotlinking protection? Only see an image through your site? You could either use some sort of token to make sure it is viewed from your site or look at the HTTP Referer. The ladder is not a bulletproof solution, but should eliminate your bandwidth problems (if you have?).

On a side note, your script is vulnerable to truncation attacks.
jaysmizzle
Forum Newbie
Posts: 9
Joined: Fri May 01, 2009 2:55 am

Re: My random.php link is being displayed in forums

Post by jaysmizzle »

Yes, hotlinking protection, that's exactly what I need. I'm knew to this so I'd never heard of that until you mentioned it so I googled it and found a script to add to my htaccess (displayed below). This script displays my 'promo.jpe' file whenever they paste the hotlink in a forum and that part works just fine but I had to add 'php' to the list of image types on the last line to get it to work. However, on my site it's only displaying the promo.jpe and doesn't cycle through my pictures like it did before. I'm not sure how to fix this problem. Any ideas? Thanks for the help.

Code: Select all

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?mysite.com [NC]
RewriteRule \.(php|jpg|png|gif)$ http://www.mysite.com/images/promo.jpe [NC,R,L]
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: My random.php link is being displayed in forums

Post by kaisellgren »

You have a PHP script, you can do it in the PHP script, too.

$_SERVER['HTTP_REFERER'] should contain the HTTP referer, which you then compare to your site address prior to displaying the image.
Post Reply