Stopping [img] from loading PHP files

[Sordell Media]

Is there any way of stopping [img] tags from loading non-image extensions, such as PHP scripts? One of my sites has recently been attacked by a group posting malicious PHP files as [img] tags. While there are a couple of vulnerabilities on my side that have allowed this to occur (and are being patched), it seems kinda stupid that SMF would provide such a convenience XSS opening for malicious users.

[SlammedDime]

Running a PHP script in an image tag is not a vulnerability by any stretch of the imagination (multiple team members and former team members even have avatars that are actually PHP scripts that rotate images on each page load)... any source claiming it to be doesn't know what he or she is talking about.  Running a PHP script in an image tag does not allow the script to run on your site... it runs on the other person's site just as any other web page and can't do anything malicious.

[Oya]

doing so would also prevent you ever using img to include attached images or avatars in the default configuration

[KensonPlays]

look at my avatar and image in my sig. this is an example. it runs on my site. if you want a similar avatar rotator, go here: http://www.kcmartz.com/avatar-rotator.gif/index.phps (phps views code)

[Sordell Media]

Running a PHP script in an image tag is not a vulnerability by any stretch of the imagination (multiple team members and former team members even have avatars that are actually PHP scripts that rotate images on each page load)... any source claiming it to be doesn't know what he or she is talking about.  Running a PHP script in an image tag does not allow the script to run on your site... it runs on the other person's site just as any other web page and can't do anything malicious.

I'm aware of this, however it can be used maliciously. In this particular instance, the img tag was used to load a script on our server pre-loaded with a query string designed to perform an action that would be favorable to the attacker. As it was then executed by anyone who viewed the thread with the payload, it executed the script from their login details, affecting a large number of users - who were of course unaware of anything except a broken image in someones post.

As I said in the OP, I'm well aware that the bulk of the cause of this attack is the vulnerability in the script that was used, but would like to block non-image extensions being allowed for the img tag as well, if this is possible.

[Brettflan]

Was it something like this?
http://forums.taleworlds.com/index.php/topic,142387.0.html

If so, the only way to really prevent those attempts is to completely disable images from being posted unless you have a way to limit them to images hosted on your server. There's no good way for the forum to know whether it's really an image or not. It's your browser that requests the "image" from the remote server, which then responds with an "authentication required" header resulting in your browser asking you for login info. The password request popup should clearly state what server is originating the request for all modern browsers. Many less technical users might not understand that fact though, so it's definitely a good idea to keep your forum users informed about such things.

EDIT: I should add that having it check for a PHP extension on the image link wouldn't be that effective either. There are many simple ways to set up a PHP script with an URL which reads whatever you want it to read; for example, "http://server.com/hmm/image.jpg" could in fact easily be a PHP script with no way for you to tell. That's the beauty of server-side languages.