21 Addressing some issues...

Hello. I’m the guy who wrote this article.

Caching: you’re right, that’s a small issue – if someone 1) visits an offsite page and their browser, or a webcache, caches the HTML file as the picture and 2) they then visit your own site and their cache fails to check for an updated version, then the picture will still fail.

Try adding the headers described in http://php.weblogs.com/stories/storyReader$550 to the script.

Security: PHP is treating $pic as a string, similar to a “What’s your name?” script that echoes it on the following page – it doesn’t even touch the file on the server. I don’t see how this is a security issue.

register_globals: if register_globals is off, er, yes, this won’t work. That’s true. In all honesty, I didn’t consider it; I’ve never yet encountered a commercial host who’s turned off register_globals, and I must be getting a little sloppy with my code. Apologies.

posted at 05:48 pm on July 13, 2004 by Thomas Scott

22 PHP code problems...

This php code has some problems…
It works only if
register_globals and short_tag are turned on.
[div class=“codeblock”]
—- showpic.php.orig    2004/span>0714 08:54:49.000000000 /span>0300
++ showpic.php 2004/span>0714 08:57:29.000000000 /span>0300
 /span>1,12 1,12 
 <?php
   header(“Content-type: text/html”);
  if ( isset($pic) ) {
  if ( isset($_GET[‘pic’]) ) {
 ?>
 <!DOCTYPE HTML PUBLIC “//W3C//DTD HTML 4.01//EN”
   “http://www.w3.org/TR/html4/strict.dtd”>
 <html>
 <head>
<title><?= $pic ?></title>
<title><?php echo $_GET[‘pic’]; ?></title>
 <meta
   http/span>equiv=“Content-Type”
   content=“text/html; charset=iso-8859-1”
 14,7 /span>14,7 
 </head>
 <body>
 <p>
-  <img src=“/<?= $pic ?>” alt=“Image”>
  <img src=“http://www.yourwebsite.com/<?php $_GET[‘pic’]; ?>” alt=“Image”>
 </p>
 <p>
   Image from 

[/div]

Hope this helps.

posted at 11:58 pm on July 13, 2004 by amd

23 Nice technique

Thank you Thomas for writing this article and presenting a novel technique to a common problem. I especially liked how you handled different linking situations.

posted at 12:01 am on July 14, 2004 by Andrew

24 why php?

why are you suggesting using php, i dont get it. traditionally this is acheived purely through .htaccess – thus

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydomain.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?otheralloweddomain.com(/)?.*$ [NC]
RewriteRule \.(gif|jpg)$ [img]http://www.mydomain.com/nasty.gif[/img] [R,L]

works for me.

posted at 03:29 am on July 14, 2004 by jim

25 XSS?

Well, there is a tiny issue with this code IMHO. It echos the $pic variable without checking what’s actually in the variable. So it’s wide open for any kind of Cross Site Scripting (XSS) attack. I can output any HTML and JavaScript code I want on your website, e.g. by calling /showpic.php?pic=”><h1><blink>XSS<”

In this particular case it’s not a big security hole, but if the script would be part of a larger website (maybe even with session/cookie based authentification like “Gallery”) someone could hijack accounts by providing a carefully prepared link to other users. Check http://www.cgisecurity.com/articles/xss-faq.shtml for details.

At least call strip_tags($pic) or htmlentities($pic) before outputting the string. Just never trust user data.

posted at 03:47 am on July 14, 2004 by Sascha

26 Further responses

Jim – did you even read the article before replying? That question’s answered in the first couple of sections!

Sascha – hmm, okay, I see what you mean – combined with the JavaScript cookie-stealing trick, that could be an issue. In that case, I agree with you that strip_tags() might need to be called.

posted at 03:58 am on July 14, 2004 by Thomas Scott

27 bad php, and a concern about http-referer

many have already pointed out that the PHP could be better. ok, it’s not the main focus of this article, but yes: use $_GET, do some sanity checking and, if necessary, stripping and replacing characters to make user data safe. I’d also add not using short open tags and the <?= shorthand, as again this will not work on some server configurations.

another point that may be worth mentioning is that some software firewalls, like norton internet security, routinely strip out http-referer information from any web traffic going through, so expect some users who have this type of software installed to experience slight difficulties.

posted at 04:08 am on July 14, 2004 by patrick h. lauke

28 A nice idea.

I think this could be a pretty effective way to deal with hotlinking, with a little tweaking. For some reason, though, using Opera, I didn’t get the image on the third page. Referrer logging is enabled.

posted at 04:27 am on July 14, 2004 by ILoveJackDaniels

29 Referrers

Patrick: if the referrer information’s stripped, then it allows the image by default – although if your referrer information is being stripped, then you’re probably going to have more problems than this, particularly if you’re trying to download files from some web sites that require on-site links.

ILJD: I’m using the latest version of Opera, and I see the image without a problem – it’s possible it’s a cache issue, which may be fixed by the updated version of the script I just uploaded.

posted at 05:09 am on July 14, 2004 by Thomas Scott

30 referrers

“if the referrer information’s stripped, then it allows the image by default”

fair enough

“- although if your referrer information is being stripped, then you’re probably going to have more problems than this, particularly if you’re trying to download files from some web sites that require on-site links.”

that was my original point, in a roundabout way (although, as noted above, it doesn’t affect this solution, granted): don’t rely on http-referer, as there might be very legitimate situations in which it comes back empty

posted at 06:29 am on July 14, 2004 by patrick h. lauke