Duplicate Image Proxy Bypass

Externalizable

Externalizable

Member
Affected version
XenForo 2.2.6 Patch 1
Currently, we use XenForo's built-in image proxying to protect our users from having their IP addresses collected by third parties. I'm aware that XenForo does not advertise this as a feature of image proxying, but we've been made aware of a proxy.php bypass that could benefit from being addressed even outside of security concerns.

If a user quotes a post, containing a proxied image, the reply box loads the image from its source URL. I am using this thread on xenforo.com/community (Test messages sub-forum) to verify this report.

This image Brogan linked has been proxied as expected:
1627068545089.webp

However, when I attempt to quote Brogan's post, the original image is loaded instead:
1627068569021.webp

We ran an internal test, using a vanilla XenForo set-up, and can confirm that IP addresses are indeed exposed when quoting or editing a post containing a proxied image. This puts Forum moderators, who are instructed to edit posts, at risk of an attack.
 
Sorry I initially deleted this so I could review the details.

I think what you're reporting here is actually similar to this bug which we have had reported before:
xenforo.com

Future fix - https and tinymce's images

Hi, When inserting an image from a http site, an error is thrown: The browser refuses to load it and displays the error image. It might not be possible to insert the media preview, because of the proxy hash, but there has to be a solution somehow ... (displaying a better 'preview' image ?)...
xenforo.com xenforo.com

The primary purpose and our main priority of the image proxy is not one of client IP protection, but protecting the server IP address, particularly if the web server is behind a proxy like CloudFlare. There's also a benefit in terms of mixed protocols, i.e. loading insecure http images from within a https

In many situations, leaking the server IP address can lead to DDoS attacks against the front facing web server.

Protecting client IP addresses is not a primary concern as generally we'd expect most people to provision their own security with that regard - proxies and VPNs etc.

That said, it is something we're aware of and it is on our radar but not something we expect to be fixed in the short term.
 

Similar threads

Fullmental
  • Question Question
XF 2.2 Image proxy not proxying images from certain domains
Replies
6
Views
270
JoshyPHP
JoshyPHP
Fullmental
  • Solved
XF 2.2 Image proxy results in broken image links, but only for Imgur.
Replies
2
Views
1K
Fullmental
Fullmental
emiya
  • Question Question
XF 2.2 Image Proxy: some images are broken
Replies
0
Views
596
emiya
emiya
eva2000
  • Suggestion Suggestion
Lack of interest Better way to notify users that proxied image is too large
Replies
0
Views
525
eva2000
eva2000
K
Fixed Image Proxy refresh seems inefficient
Replies
3
Views
1K
XF Bug Bot
XF Bug Bot
Back
Top Bottom