10

Building a website, I'd like to allow users to specify an url that point to an image that will be used as a profile picture (included in the HTML DOM as a ).

But before doing anything stupid, I was wondering if it was possible for an malicious person to use this for other purposes.

From what I know, it can possible to specify a .php file (for example), that will read the cookie session, and then display the image. But I don't have anything risky stored in the cookie.

What else can be done and is this a very (very very) bad choice or can I go with it?

I found that IE6 had a problem with this that could lead to an XSS exploit, but well, it's IE6, written in 1874 right? (spoiler: I don't target IE6 users at all ;) )

Thanks for your help.

Cyril N.
  • 2,649
  • 2
  • 18
  • 28
  • Excellent Question. Would love to find out about that too. – Lex Feb 13 '13 at 10:17
  • Good, I was wondering if I would be "destroyed" by asking such a dumb question (like it was an obvious reason I missed). Apparently, no :) – Cyril N. Feb 13 '13 at 10:19
  • The main reason behind this is that I'm sick and tired of the old shitty upload file in HTML. I know there is tons of plugins for simplifying the work, but still, giving an URL is WAY more simpler ! – Cyril N. Feb 13 '13 at 10:20
  • You could look into a drag-and-drop upload like GMail - that may be nicer than the upload file dialog. See http://blueimp.github.com/jQuery-File-Upload/ – Bob Watson Feb 13 '13 at 11:41

2 Answers2

10

There's actually quite a few issues with the approach:

  • You need to worry about CSRF attacks (someone could use http://somesite.com/?q=deleteallmydata and anyone visiting the site will have their data on somesite.com deleted), and depending on your code, you're more vulnerable to XSS attacks.

    This can be sophisticated - for example, they could show an image to begin with, then switch it with a redirect.

  • If your site is busy, it can be used to stage an effective DDOS attack - someone could enter a URL for some site they dislike, probably in a way that runs up server resources (a search page or similar).

  • Attacks on a user's image host are now attacks on your users.

If you don't want to handle images - you may want to consider a trusted host, like http://imgur.com/ (StackExchange does something like this) to direct your users to, and limit your URLs to that site only.

Community
  • 1
Bob Watson
  • 2,856
  • 17
  • 29
  • Thanks for the tips. I don't think I will generate a lot of DDOS (You will have to be logged to access it) but it's still an issue I don't have to ignore. The two others point are very interesting! Thanks. – Cyril N. Feb 13 '13 at 10:26
  • 2
    Your first point is a CSRF vulnerability in `somesite.com`. – CodesInChaos Feb 13 '13 at 10:34
  • @CodesInChaos Sorry, yes. Was thinking of two things at once; clarified. – Bob Watson Feb 13 '13 at 10:36
2

One issue is that an attacker can put an image resource behind HTTP Basic Auth and change the realm to be your site's name.

Most often your less experienced users will gleefully put in their passwords and send them off to the remote server.

XSS, as mentioned before, is also another potential issue.

From a performance perspective, somebody can put images on a slow site, and your site will then feel dog slow to your users.

matt s
  • 21
  • 1