Many people visit online forums and bulletin boards, looking for information on computers, baseball, real estate, music, and other topics. Registered members are often allowed to upload "avatars", thumbnail images used to enhance text or provide a laugh.
Sven Vetsch has recently discovered a bug in the way that Internet Explorer displays images, so that any image uploaded by untrusted users can be used to exploit this bug, and execute arbitrary code in the browser, including revealing your password to a third party. This XSS (Cross-Site Scripting) exploit can also be applied to product images on auction sites (eBay, are you listening?).
When a browser tries to render embedded content files (.gif, .jpg, .wav, etc.) which are corrupted, the visitor will typically see a red X or other symbol that the file cannot be displayed. Accessing the file directly, rather than through a webpage,
as http://www.example.com/image.gif will produce the same result, except in IE 6.0, which will try to display the contents of the file as HTML.
Consider the following textfile, named with a .gif extension:
<GIF89a 8 f > <html> <head> <script> alert("XSS"); </script> </head> <body> </body> </html>
The browser accepts this as an image, because it is named so, and because it contains the proper hex header. When accessed directly, it will also display the red X or other symbol, since it has a .gif header and extension, and is clearly not a valid image, but if the file is renamed with a .jpg extension, IE 6.0 does not understand the header, and then runs this code, which pops up an alert box. It could also read a cookie, or do other things.
All "bad guy" has to do is lure you to click a link to access the fake image directly.
If you don't understand the stealth technology involved, just know that this is a very serious security hole. Until Microsoft issues a patch, users are advised to use Firefox or Netscape, at least when visiting any site where they might encounter user-uploaded "images".
Post new comment