1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

XF 1.5 How to prevent abuse of embedding / IMG tag?

Discussion in 'XenForo Questions and Support' started by dutchbb, Apr 22, 2016.

  1. dutchbb

    dutchbb Well-Known Member

    One of our members pointed out that anyone can find out and record the IP-address of anyone viewing a thread, simply by posting a hotlinked image (with the IMG tags).

    As you may know, it works like this: they host the image on a private server, then add an .htaccess file that redirects the image to a PHP script that records every IP of who viewed the image to a database. The script then shows the image to the user who is not aware of anything.

    This is a security issue on every forum allowing embedding he says. My question: does XF has a build in feature to work around this issue? Or is custom coding required?
  2. James

    James Well-Known Member

    Don't all images go through the image proxy which essentially wipes the referral information?
  3. Alfa1

    Alfa1 Well-Known Member

    Only if the image cache is enabled and expiry is set to 0. So that is the solution against this abuse.
  4. James

    James Well-Known Member

    I'd also wonder... what's the issue? If someone stuck the image in this thread how do they know if is me or mister guest Googlebot?
  5. ozzy47

    ozzy47 Well-Known Member

    Maybe they are building a DB of IP's to spoof and use to post spam.
  6. Alfa1

    Alfa1 Well-Known Member

    Exposing IP addresses can be problematic in a lot of situations. Stalking, privacy, etc are an issue. We had a lot of trouble with users fetching IP addresses finding out the identity of people.
    But a lot more can be sent trough besides IP addresses. Think of browser fingerprinting. Tracking cookies.
    And it goes in both ways. A malicious code injection may be possible. One could use a URL in the img tag like:
  7. AndyB

    AndyB Well-Known Member

Share This Page