Network Security: Detailed info on Re: BBCode [IMG] [/IMG] Tag Vulnerability

Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.

Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.

Network Security Web-App-Sec

[Top] [All Lists]

Re: BBCode [IMG] [/IMG] Tag Vulnerability

from [Zak McGregor] Network Security

[Permanent Link]

Subject:	Re: BBCode [IMG] [/IMG] Tag Vulnerability
Date:	Wed, 24 Aug 2005 02:33:35 +0200

On Tue, 23 Aug 2005 09:20:03 -0500
"Tony Stahler" <TStahler@tempographics.com> wrote:

You'd probably be better off just deciding which image file types you
consider safe for users... i.e. you probably don't want to allow
flash... and only allow images with those extensions.  Making sure
images are safe isn't really you're responsibility, it's the
responsibility of the image standard, and the browser displaying the
information.


IMHO the correct way to do this is to make an http head to the url given as the
image location, parsing the response for content-type headers and using that as
a guide for image type. Using the file extension of the supplied url is asking
for potential issues. Even getting the content-type header from the remote
server is not foolproof - it could be set to change content type and actual
content once the expected check has been performed.

Ciao

Zak

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
Re: BBCode [IMG] [/IMG] Tag Vulnerability, Paul Laudanski Re: [Full-disclosure] Re: BBCode [IMG] [/IMG] Tag Vulnerability, Christopher Kunz Re: BBCode [IMG] [/IMG] Tag Vulnerability, Paul Laudanski Re: BBCode [IMG] [/IMG] Tag Vulnerability, Tony Stahler Re: BBCode [IMG] [/IMG] Tag Vulnerability, Zak McGregor <= Re: BBCode [IMG] [/IMG] Tag Vulnerability, Christopher Kunz Re: BBCode [IMG] [/IMG] Tag Vulnerability, Christopher Canova

Previous by Date:	RE: anti-phishing implementation, wilsonc
Next by Date:	ActiveX POC, Andres Molinetti
Previous by Thread:	Re: BBCode [IMG] [/IMG] Tag Vulnerability, Tony Stahler
Next by Thread:	Re: BBCode [IMG] [/IMG] Tag Vulnerability, Christopher Kunz
Indexes:	[Date] [Thread] [Top] [All Lists]