Not a bug IMG tag

T

topkurs2

Active member
Affected version
2.2.8
Hello.
Just found some small, but unpleasant bug or feature?
When using IMG tag, manually we can add in this tag any url, any info, not only image.
I mean
Code: 
[img]http://google.com[/img]
or
Code: 
[img]http://127.0.0.1[/img]
All these tags are parsing by Xenforo in such way:
bug.webp
It's very unsecure. This opens the possibility for attacks, phishing, disclosure of IP address, browser, refer and so on.
I suggest to add some verification procedure - to check is this real image (e.g. by file extensions). or not. If not - do not parse it. Such system was in Vbulletin (I don't remember by default or in addon).
 

But the broken image icon seems to be not clickable. So where is the danger ?
 
nicodak said:

But the broken image icon seems to be not clickable. So where is the danger ?
Click to expand...
By this broken url we can know a lot of info. It's unsafe and unsecure.
For example, quick example. Xenforo.com is using Cloudflare.
Code: 
ping xenforo.com
xenforo.com [172.67.1.198]
We can simply know in 3 seconds real backend of xenforo.com
Code: 
74.207.234.23
PTR mailer.xenforo.com
useragent XenForo/2.x (https://xenforo.com/community)
It's the simplest example.
 
Last edited:
topkurs2 said:
When using IMG tag, manually we can add in this tag any url, any info, not only image.
Click to expand...
Any URL can respond to a request with an image. It's not possible to determine ahead of time.

topkurs2 said:
By this broken url we can know a lot of info. It's unsafe and unsecure.
Click to expand...
It's not any different from someone uploading an image to a web server under their control and embedding it. They would get the same information. This is largely mitigated by using the image proxy anyway.

topkurs2 said:
We can simply know in 3 seconds real backend of xenforo.com
Click to expand...
You can configure a proxy to avoid this. External requests (those from the image proxy among them) will go through the proxy instead.
 

Similar threads

misterburke_
Not a bug XF 2.3 - Using the [IMG] tag for webp and pnj files breaks the site
Replies
5
Views
62
misterburke_
misterburke_
NikitOS
Fixed The <img> tag should not be displayed unless the OAuth client image URL is provided
Replies
1
Views
133
XF Bug Bot
XF Bug Bot
Fullmental
  • Question Question
XF 2.2 Disable IMG tags for new posts/edits only?
Replies
1
Views
81
AndyB
AndyB
bzcomputers
Standardize the meta, link, img, input, br, and hr tag closings
Replies
0
Views
34
bzcomputers
bzcomputers
bzcomputers
When using an email logo the <img> tag is missing the required alt attribute
Replies
0
Views
327
bzcomputers
bzcomputers
Back
Top Bottom