Duplicate Image Proxy Bypass

Affected version
XenForo 2.2.6 Patch 1
Currently, we use XenForo's built-in image proxying to protect our users from having their IP addresses collected by third parties. I'm aware that XenForo does not advertise this as a feature of image proxying, but we've been made aware of a proxy.php bypass that could benefit from being addressed even outside of security concerns.

If a user quotes a post, containing a proxied image, the reply box loads the image from its source URL. I am using this thread on xenforo.com/community (Test messages sub-forum) to verify this report.

This image Brogan linked has been proxied as expected:

However, when I attempt to quote Brogan's post, the original image is loaded instead:

We ran an internal test, using a vanilla XenForo set-up, and can confirm that IP addresses are indeed exposed when quoting or editing a post containing a proxied image. This puts Forum moderators, who are instructed to edit posts, at risk of an attack.
Sorry I initially deleted this so I could review the details.

I think what you're reporting here is actually similar to this bug which we have had reported before:

The primary purpose and our main priority of the image proxy is not one of client IP protection, but protecting the server IP address, particularly if the web server is behind a proxy like CloudFlare. There's also a benefit in terms of mixed protocols, i.e. loading insecure http images from within a https

In many situations, leaking the server IP address can lead to DDoS attacks against the front facing web server.

Protecting client IP addresses is not a primary concern as generally we'd expect most people to provision their own security with that regard - proxies and VPNs etc.

That said, it is something we're aware of and it is on our radar but not something we expect to be fixed in the short term.
Top Bottom