Duplicate Image Proxy Bypass

Externalizable

Externalizable

Member
Affected version
XenForo 2.2.6 Patch 1
Currently, we use XenForo's built-in image proxying to protect our users from having their IP addresses collected by third parties. I'm aware that XenForo does not advertise this as a feature of image proxying, but we've been made aware of a proxy.php bypass that could benefit from being addressed even outside of security concerns.

If a user quotes a post, containing a proxied image, the reply box loads the image from its source URL. I am using this thread on xenforo.com/community (Test messages sub-forum) to verify this report.

This image Brogan linked has been proxied as expected:
1627068545089.webp

However, when I attempt to quote Brogan's post, the original image is loaded instead:
1627068569021.webp

We ran an internal test, using a vanilla XenForo set-up, and can confirm that IP addresses are indeed exposed when quoting or editing a post containing a proxied image. This puts Forum moderators, who are instructed to edit posts, at risk of an attack.
 
Sorry I initially deleted this so I could review the details.

I think what you're reporting here is actually similar to this bug which we have had reported before:
xenforo.com

Future fix - https and tinymce's images

Hi, When inserting an image from a http site, an error is thrown: The browser refuses to load it and displays the error image. It might not be possible to insert the media preview, because of the proxy hash, but there has to be a solution somehow ... (displaying a better 'preview' image ?)...
xenforo.com xenforo.com

The primary purpose and our main priority of the image proxy is not one of client IP protection, but protecting the server IP address, particularly if the web server is behind a proxy like CloudFlare. There's also a benefit in terms of mixed protocols, i.e. loading insecure http images from within a https

In many situations, leaking the server IP address can lead to DDoS attacks against the front facing web server.

Protecting client IP addresses is not a primary concern as generally we'd expect most people to provision their own security with that regard - proxies and VPNs etc.

That said, it is something we're aware of and it is on our radar but not something we expect to be fixed in the short term.
 

Similar threads

Fullmental
  • Solved
XF 2.2 Image proxy results in broken image links, but only for Imgur.
Replies
2
Views
1K
Fullmental
Fullmental
MySiteGuy
Xenforo Proxy Service
Replies
15
Views
3K
MySiteGuy
MySiteGuy
S
  • Solved
XF 2.2 Putting image proxy traffic through a proxy?
Replies
1
Views
714
Jake B.
Jake B.
digitalpoint
Cloudflare optimizations for XenForo
7 8 9
Replies
175
Views
17K
digitalpoint
digitalpoint
bebosny
  • Question Question
XF 2.1 Image Proxy Solutions
Replies
8
Views
3K
bebosny
bebosny
Top Bottom