XF 1.5 How to prevent abuse of embedding / IMG tag?

[dutchbb]

One of our members pointed out that anyone can find out and record the IP-address of anyone viewing a thread, simply by posting a hotlinked image (with the IMG tags).

As you may know, it works like this: they host the image on a private server, then add an .htaccess file that redirects the image to a PHP script that records every IP of who viewed the image to a database. The script then shows the image to the user who is not aware of anything.

This is a security issue on every forum allowing embedding he says. My question: does XF has a build in feature to work around this issue? Or is custom coding required?

 

[James]

Don't all images go through the image proxy which essentially wipes the referral information?

 

[Alpha1]

Only if the image cache is enabled and expiry is set to 0. So that is the solution against this abuse.

 

[James]

I'd also wonder... what's the issue? If someone stuck the image in this thread how do they know if 123.56.7.89 is me or mister guest Googlebot?

 

[Ozzy47]

I'd also wonder... what's the issue? If someone stuck the image in this thread how do they know if 123.56.7.89 is me or mister guest Googlebot?

Maybe they are building a DB of IP's to spoof and use to post spam.

 

[Alpha1]

I'd also wonder... what's the issue? If someone stuck the image in this thread how do they know if 123.56.7.89 is me or mister guest Googlebot?

Exposing IP addresses can be problematic in a lot of situations. Stalking, privacy, etc are an issue. We had a lot of trouble with users fetching IP addresses finding out the identity of people.
But a lot more can be sent trough besides IP addresses. Think of browser fingerprinting. Tracking cookies.
And it goes in both ways. A malicious code injection may be possible. One could use a URL in the img tag like:
url/pictur.php?a=[anything]

 

[AndyB]

One way of preventing this problem is to use this add-on:

https://xenforo.com/community/resources/convert-image.2521/