security issues with <img> tag

Posted: Fri Aug 17, 2007 11:07 am

I have a user who has a sig he wants to display using this format

Code:

[img]http://www.tournament.com/players/signatures/image.jpg?style=forumsig&username=Promeh[/img]

This does not display the image.

Are there any security issues I should worry about in adding <img> to the allowed html in our forums?

Posted: Fri Aug 17, 2007 12:00 pm

The html image tag should already be ther I think but in any event, the tag you are using in your example is a bbcode tag not a html tag.

Posted: Fri Aug 17, 2007 7:31 pm

Ya, I know. What I mean is adding img to the allowed html in forums config. The example I gave above is what he tried to use. It will not display the image. I temporarily added img to the forums config allowed html tags and the image then DOES show when using <> instead of [].

Since the sig shows the image using <img>, but not using [img] there must be some difference. I want to know if having added img to the allowed html tags will cause any cause any security risks (more than without it)

Posted: Fri Aug 17, 2007 9:36 pm

That's one of those dynamic signatures, right? With game stats or something? It's not really a .jpg; it is pulling a script off that other server to generate the signature. He could easily point it to a bad script that does XSS. If you trust him, the server the sig comes from, and no one compromises that server, you'll be okay. You can decide if it is a risk worth taking.

Posted: Sat Aug 18, 2007 1:42 am

phpBB added a check so that only .jpg, .gif, .png (possibly) are the only ones that could be used. While this kind of protection can be bypassed rather easily, it is still another security measure.

You can use mod_rewrite rules to give an easier URL, one that will take a .jpg and send it back to your PHP script