Page 1 of 1

My random.php link is being displayed in forums

Posted: Fri May 08, 2009 10:34 pm
by jaysmizzle
Sorry, I couldn't come up with a good subject title with so little space.

I'm using the code below to create a random.php file that displays a random image on every page load. I've noticed recently that some people have copied the url link to this random.php file and have pasted it in a couple forums so that every time someone opens the forum topic, they see a random picture like they would if they had visited my website. The link is something like 'http://www.mywebsite.com/images/random.php.jpg'. I'm not sure how I feel about this. Would this cost me bandwith every time someone opens that topic? Is there anyway I could somehow block everyone from doing this? Would you, personally, try to block this or do you think I should leave it alone and think of it as good advertisement?

Code: Select all

<?php
 
 
    $folder = '.';
 
 
    $extList = array();
    $extList['gif'] = 'image/gif';
    $extList['jpg'] = 'image/jpeg';
    $extList['jpeg'] = 'image/jpeg';
    $extList['png'] = 'image/png';
 
 
$img = null;
 
 
if (substr($folder,-1) != '/') {
    $folder = $folder.'/';
}
 
 
if (isset($_GET['img'])) {
    $imageInfo = pathinfo($_GET['img']);
    if (
        isset( $extList[ strtolower( $imageInfo['extension'] ) ] ) &&
        file_exists( $folder.$imageInfo['basename'] )
) {
    $img = $folder.$imageInfo['basename'];
}
} else {
    $fileList = array();
    $handle = opendir($folder);
    while ( false !== ( $file = readdir($handle) ) ) {
        $file_info = pathinfo($file);
        if (
            isset( $extList[ strtolower( $file_info['extension'] ) ] )
) {
            $fileList[] = $file;
        }
    }
    closedir($handle);
 
 
    if (count($fileList) > 0) {
        $imageNumber = time() % count($fileList);
        $img = $folder.$fileList[$imageNumber];
    }
}
if ($img!=null) {
    $imageInfo = pathinfo($img);
    $contentType = 'Content-type: '.$extList[ $imageInfo['extension'] ];
    header ($contentType);
    readfile($img);
} else {
    if ( function_exists('imagecreate') ) {
        header ("Content-type: image/png");
        $im = @imagecreate (100, 100)
            or die ("Cannot initialize new GD image stream");
        $background_color = imagecolorallocate ($im, 255, 255, 255);
        $text_color = imagecolorallocate ($im, 0,0,0);
        imagestring ($im, 2, 5, 5, "IMAGE ERROR", $text_color);
        imagepng ($im);
        imagedestroy($im);
    }
}
?>

Re: My random.php link is being displayed in forums

Posted: Sat May 09, 2009 5:57 am
by kaisellgren
This subject is not really a security related, but I think it's ok.

So, if I understood correctly, what you want is a hotlinking protection? Only see an image through your site? You could either use some sort of token to make sure it is viewed from your site or look at the HTTP Referer. The ladder is not a bulletproof solution, but should eliminate your bandwidth problems (if you have?).

On a side note, your script is vulnerable to truncation attacks.

Re: My random.php link is being displayed in forums

Posted: Sat May 09, 2009 6:35 pm
by jaysmizzle
Yes, hotlinking protection, that's exactly what I need. I'm knew to this so I'd never heard of that until you mentioned it so I googled it and found a script to add to my htaccess (displayed below). This script displays my 'promo.jpe' file whenever they paste the hotlink in a forum and that part works just fine but I had to add 'php' to the list of image types on the last line to get it to work. However, on my site it's only displaying the promo.jpe and doesn't cycle through my pictures like it did before. I'm not sure how to fix this problem. Any ideas? Thanks for the help.

Code: Select all

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?mysite.com [NC]
RewriteRule \.(php|jpg|png|gif)$ http://www.mysite.com/images/promo.jpe [NC,R,L]

Re: My random.php link is being displayed in forums

Posted: Sun May 10, 2009 6:31 am
by kaisellgren
You have a PHP script, you can do it in the PHP script, too.

$_SERVER['HTTP_REFERER'] should contain the HTTP referer, which you then compare to your site address prior to displaying the image.