[SMF 2.0.11] Anti-CSRF fix against [img]index.php?action=EVIL[/img] is useless.

Started by qc, May 06, 2016, 10:04:17 PM

Previous topic - Next topic

qc

I stumbled over this fix in Subs-Post.php
// Now fix possible security problems with images loading links automatically...
$message = preg_replace_callback('~(\[img.*?\])(.+?)\[/img\]~is', 'action_fix__preg_callback', $message);
which prevents bogus [img]/index.php?action=DANGEROUS[/img] images which cause the user's browser to perform the DANGEROUS action from being included and shown to the user reading said post.

The fix replaces "action=" with "action-" and was probably included because of this advisory: http://websec.ca/advisories/view/SMF_CSRF_Filter_Bypass

However, it has always been and is still possible to include images with such an "action"-URL by simply pointing to an HTTP-redirect, e.g. [img]http://bit.ly/blabla[/img] with http://bit.ly/blabla redirecting to /index.php?action=DANGEROUS

In summary: this fix never worked, and should therefore be removed. The underlying problem that this fix was addressing should be fixed directly by e.g. introducing CSRF protection tokens where they are still missing (e.g. search).
Playing quizduell? Having quizduell questions? Our german quizduell forum quizcommunity.de is looking for quiz freaks to come and play quizduell with us :)

qc

Playing quizduell? Having quizduell questions? Our german quizduell forum quizcommunity.de is looking for quiz freaks to come and play quizduell with us :)

Advertisement: