Menu
I run a small browser MMO, and I have a problem where a couple users are embedding scripts into their profile images, and using them to make attacks against said users, and my game in general. Is there a way to protect against this, or do I need to start blocking people from being able to use their own custom images?
If it helps any, it's done in PHP/MySQL.
245
Definition: Embedding refers to the integration of links, images, videos, gifs and other content into social media posts or other web media. Embedded content appears as part of a post and supplies a visual element that encourages increased click through and engagement.
Embedded images are images that can be integrated directly into the email source code. Embedded images do not need to be downloaded by the recipient; they are shown directly in the email program. The maximum size for embedded images is 50KB per image.
Most likely what is hapening is they are giving you a link to a script that is building the image and returning it on the fly, there is nothing aside from no allowing users to use external images, that you can do about it, one option to prevent it is to download and store the image on your server as opposed to linking to the external image.
--I decided to provide a sample
This image is created on the fly, the url I'm giving is: http://unkwndesign.com/profilePic.png:
alt text http://unkwndesign.com/profilePic.png
now, profilePic.png is a folder that when requested is providing index.php which, using gd, is getting the SO logo, and imposing your IP address over it, to be very clear here I AM NOT LOGING THIS OR ANY OTHER DATA the source for the index.php is:
<?php
$image = imagecreatefrompng("http://stackoverflow.com/Content/Img/stackoverflow-logo-250.png");
$font_size = 12;
$color = imagecolorallocate($image, 0,0,0);
ImageTTFText ($image, $font_size, 0, 55, 35, $color, "arial.ttf",$_SERVER['REMOTE_ADDR']);
header("Content-type: image/png");
imagepng($image);
imagedestroy($image);
?>
Since I am returning an image, with a proper extension, and the proper mime-type there is no way to detect what I am doing. If the server had downloaded my image and stored it locally the IP address would be that of the server, which would ruin the fun of doing it and likely prove to be enough of a discurageing factor to stop the behavior.
98
Try having GD process those images. If it throws errors, you know you have a problem. Since image upload is a relatively rare operation, it shouldn't cause load problems to do some kind of arbitrary manipulation.
24
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
