Image proxy can be abused too easily

K

Kirby

Well-known member
Affected version
2.3.0 Beta 6
Steps to reproduce
  1. Configure a proxy secret
  2. Start a new post
  3. Insert an external image
  4. Click preview
  5. Copy the generated image URL
Result
The generated proxy.php URL can now be used externally forever until the secret is changed without the image ever being displayed anywhere publically in XenForo

Suggested Mitigation
Make the hashes automatically expire after a configurable expire time
 
I was just thinking about this lol. Cloudflare makes this an even bigger problem. Though hotlinking protection somehow fixes this assuming it works as expected. I do change my secret key regularly but this means all image links in search engine are dead and require reindexing which is again not an optimal scenario.
 

Similar threads

swatme
Not a bug account login lockout can be abused?
Replies
3
Views
895
swatme
swatme
Top Bottom