Are Hotlinked Images Now a Liability? 57
ConcernedImage asks: "I work for a company that has a strong online community, with a full set of message boards that currently allow external image hotlinking. With the new WMF exploit out there, all it takes is one user to link to a bad image, and suddenly it's -our- web site inflicting the computers of others (at least, as far as our users are concerned). Is allowing hotlinked images a legal liability now? What steps are other online communities taking to protect themselves and their users against this?"
Hotlinking WMFs in a webpage (Score:2, Insightful)
Re:Hotlinking WMFs in a webpage (Score:2)
Re:Hotlinking WMFs in a webpage (Score:2)
Re:Hotlinking WMFs in a webpage (Score:1)
"... If
and only if the media type is not given by a Content-Type field, the
recipient MAY attempt to guess the media type via inspection of its
content and/or the name extension(s) of the URI used to identify the
resource."
Re:Hotlinking WMFs in a webpage (Score:2)
Re:Hotlinking WMFs in a webpage (Score:1)
Check both and always prompt the user to make a selection about how to open the file if the File extension and the Content Type are not consistent.
The reason to do that is that some might try to trick others by using a file with a misleading name, such as naming a PNG "foo.jpeg"
Re:Hotlinking WMFs in a webpage (Score:2)
Re:Hotlinking WMFs in a webpage (Score:1)
Hotlinked images always were a liability (Score:5, Insightful)
Captain Obvious Raises His Hand (Score:2, Insightful)
Re:Captain Obvious Raises His Hand (Score:3, Informative)
Check the filename? Ok the malicious webserver will lie about the filename vs the mime type.
Check the file itself? Ok, now the malicious webserver just serves different files for different sources.
There's no automatic way to prevent wmf files from being linked to, which is what the whole point of TFA is.
Re:Captain Obvious Raises His Hand (Score:2)
Re:Captain Obvious Raises His Hand (Score:1)
Re:Captain Obvious Raises His Hand (Score:1)
There's no automatic way to prevent wmf files from being linked to, which is what the whole point of TFA is.
Have the forum automatically retrieve a copy of the image from the URL entered.
Automatically reject the image if it is of a different type than claimed, is too big, is a WMF, doesn't exist, etc...
Automatically repeat the check on a periodic basis: and automatically remove the image if it changes.
Remove image-posting privilege or ban from the forum anyone whose image submissions are
Re:Captain Obvious Raises His Hand (Score:1, Informative)
Will your site be obeying robots.txt? If so then validation is pointless just add deny line into robots.txt. Some sites don't appreciate being hit by half the webservers in the world at once because someone added there image to a forum. Couldn't this be used as a way of launching DDOS attacks against any webserver that hosts an image?
You s
Taking steps? (Score:3, Interesting)
Using Linux? Using a Mac?
I kid. But seriously, the issue is PC security, not server security. If your PC is vulnerable to an exploit simply for viewing an image, the problem is YOURS, not the server that happens to link to an image that happens to use that exploit.
Re:Taking steps? (Score:2)
Yes, but if it does affect 99% of your users, and people trust your site not to be malicious so they keep coming, but you allow random people to post images to your forums... turning that off for now seems like a good idea to me.
Re:Taking steps? (Score:2)
Besides, it's Microsoft's fault for the WMF format, allowing this exploit to be used, not patching it quickly, and many other problems regarding MSIE. If they aren't liable for the WMFs, nobody but the users who post them are.
Re:Taking steps? (Score:2)
99%? 1997 called; they want their browser statistics back
It's a Windows flaw, not a IE flaw. Firefox is vulnerable too.
Re:Taking steps? (Score:2)
Re:Taking steps? (Score:1)
Let the user know, don't hide the flaw. (Score:2)
It's like asking... (Score:3, Insightful)
Re:It's like asking... (Score:2)
Re:It's like asking... (Score:2)
Take Flickr for exam
I see three options: (Score:2)
I suppose you could always cache the images people link to in order to virus-scan them, but that seems really time- and space-consuming.
Re:I see three options: (Score:3, Informative)
The exploit worked even if the files had the wrong extension (of gif, jpeg etc).
Re:I see three options: (Score:2)
That's impossible. You might be able to restrict it to images with URIs ending in those extensions, but extensions are largely irrelevant to the WWW, it's the Content-Type header that matters, which can't be checked because the person serving it can change it at any time. To add to the complication, because of the way many browsers are implemented, even if you could enforce the Content-Type restriction, the browsers would ignore
Re:I see three options: (Score:2)
I know it wouldn't do much good for precisely that reason, but it would take care of accidental links to the malicious images.. say someone makes one of these WMFs of something cute. Some granny with enough ability to upload images to a server (I was goin
Re:I see three options: (Score:2)
Re:I see three options: (Score:2)
Is there any canned code to verify that an image is in WMF format? It seems to me that there's no reason not to ban WMF uploads since I can't think of the last time I heard of someone actually wanting to use that file format for its charactertistics.
D
Re:I see three options: (Score:2)
The identify utility that is part of ImageMagick [imagemagick.org] can do it.
Re:I see three options: (Score:2)
4. Have your users upload their images to your server, only supporting format(s) that can be verified as being what they claim and cannot directly execute scripts like WMF files can (GIF, JPEG, ...). Politely refuse to accept images that are *not* what they claim; Joe might have saved a GIF document with a .JPG extension by mistake after all.
Now that does not preclude there being some means of exploiting the relevent image handler on the web browser's PC to e
Re:I see three options: (Score:2)
Yeah, but the interface for doing that is always pretty kludgy, from what I've seen.. but that was my point behind caching the images that people link to. You could do it entirely transparently and ensure that the images are safe... it's just a matter of providing enough space.
Re:I see three options: (Score:2)
The problems now become: your bandwidth, your potential copyright violation, your disk space and processing time, your risk if there's an image-based exploit on your image-checker (always a remote possibility)... and in many of the random phpBB communities and such on the Web, all those are in short supply- and moreover, many of them have users w
Re:I see three options: (Score:2)
your potential copyright violation
I don't know, if you disclaim responsibility for what people post, you could make a case that the poster is the copyright violator because they weren't given a licence to distribute the material and that your server merely did as it was told, on the assumption that the poster did have the licence.
your risk if there's an image-based exploit on your image-checker (always a remote possibility)
True, but a
Use a diagnostics wmf (Score:1)
Y!PP did block inline images (Score:4, Interesting)
The forums of Puzzle Pirates switched off all images when it became clear how bad this exploit is. They later turned back on avatars, since they're checked by the server (only accepts JPEGs and GIFs of a certain max size, and then stored server side, as far as I know).
The original announcement said they'd be back when Microsoft release their official patch, but I think PP is giving everybody time to patch first.
ASK A LAWYER ! (Score:2)
IANAL, but IMHO you most definitely are liable for unusual hazards to present to visitors. I'm not sure how you avoid liability for libel and copyright violations except perhaps by prompt action. Common-carrier is not common-storer, although public warehouses have existed for centuries.
Here, it is very easy for you to wrapper IMG tags to require a click, and maybe tag them with source URL for those many lusers w
This will always be a problem. (Score:2)
Also, what about javascript? All the script has to do is call for the image to be loaded, not even displayed. The problem is much larger then just stopping sites from hotlinking images.
Your question is that it's a liability, I w
Re:This will always be a problem. (Score:2)
Certainly it's not efficient to check all the time in advance - or else, the only plausible strategy is to cache - that way you can guarantee the content being delivered. Now what precautions are reasonable?
images are like ways to include pages in a way (Score:1)
Great (Score:2, Insightful)
There's a new WMF exploit out to take the place of the one patched yesterday?
Re:Great (Score:2)
Don't worry too much about it. (Score:2)
Patch is out there. (Score:1, Troll)
Re:Patch is out there. (Score:3, Insightful)
Re:Patch is out there. (Score:2)
Only partly joking...
The WMF bug was a big disaster (Score:3, Insightful)
I am of course a geeky nerdy never washing never getting laid linux user who hasn't had to worry about security alerts at all in 2005 (Check somebody elses post in one of the CERT stories where he shows that there have been no cyber alerts for linux in 2005) the last I think was in 2004 or 2003 relating to opensll or ssh.
MS response was idiotic and shows they totally do not care about their customers. In the best case they should have made it very clear to every windows user that browsing the net was dangerous and put out a simple patch that disabled WMF completly or at least put up a warning before a wmf like file is accessed even if it is a WMF disguising itself as a jpeg.
Oh but this could break existing products? WHO THE FUCK CARES? It is like worrying that cutting off the electricity and gas after an earthquake is going to make your icecream melt. The WMF exploit is a disaster and that means it is time for drastic measures.
Windows users should have been up in arms. Browsing the internet became a no-no even with non-porn sites. Only thing that has to happen is 1 person on forum having a exploit for their avatar image and bang.
I have seen several people being affected by this exploit. Sure some were stupid free porn sites surfers but not all of them. Just normally using their computer and BAM. Infected.
We have been getting a lot of comments from MS fanboys about how much stabler XP is and that MS is getting a lot more serious about security. HA. This WMF thing has shown that MS is still the same MS of old. Nothing has changed. A full week to patch exploit affecting all your users and the all the MS fanboys can do is sputter "They had to test it" yeah right. Oh well at least it seems that this time the patch actually works. That gotta be a first.
Oh well now to answer your question. There is nothing to do here but disable unchecked content on your website. That means you gotta host every image yourselve and make sure you check that it is what it claims to be in your upload code.
The MS patch won't change a fucking thing. An awfull lot of MS users never patch up so this WMF exploit will be with us as long as that code red crap and every other windows exploit. If I am ever diagnosed with an incurable disease and only have a few weeks left, gates is going to get a bullet in the head.
Re:The WMF bug was a big disaster (Score:2)
Don't leave Ballmer out of this. Save a cartridge for him: any number of Slashdotters would be willing to provide a spare bullet
Here, let me spell it out for you: (Score:2)
'F' is for the Fear you won't have anymore.
'I' is for the Internet you love to peruse.
'R' is for the redundant mod this post will score.
'E' is for the Explorer you'll no longer use.
and..
'F' is for the Favorite of so many on the Net!
'O' is for the Open Source in "FOSS"!
'X' is for the Xtra plugins you're bound to get.
And that spells "FIREFOX": http://www.firefox.org/ [firefox.org]Tell your boss!